Syracuse University
Set-UID Program Vulnerability Lab
Overview
Set-UID is an important security mechanism in Unix operating systems. When a Set-UID program is run, it assumes the owner's privileges. For example, if the program's owner is root, then when anyone runs this program, the program gains the root's privileges during its execution. Set-UID allows us to do many interesting things, but unfortunately, it is also the culprit of many bad things. Therefore, the objective of this lab is two-fold: (1) Appreciate its good side: understand why Set-UID is needed and how it is implemented. (2) Be aware of its bad side: understand its potential security problems.Lab Description and Tasks (pdf)
-
For instructors: if you prefer to modify the lab description
to suit your own courses, you can download the source files (Latex)
from here.
Time for This Lab: 2 weeks
Lecture Video: (watch)
Helpful Documents
- Checklist for Security of Setuid Programs
- Chen, Wagner, and Dean. Setuid Demystified
- Bishop. How to write a Set-UID program
Student Feedbacks
To help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2007. The survey results depicted in the following are aggregate results over several years.- Survey Questionnaires (doc, pdf)
- Survey Results
