This project is a C-based version of the turnout assignment.

There are three separate deliverables for this project, each due at the start of class (via web-Turnin) on the specified date:

• For Friday, September 21: Attack TurnOut blackbox (ie, without looking at the source code)
• For Tuesday, September 25: Attack TurnOut whitebox (ie, with looking at the source code)
• For Friday, September 28: Submit a patched (secure) implementation

Fill in and submit an attack summary spreadsheet. If you don't use Excel, reproduce the format of this spreadsheet in some reasonable alternative (that the TAs will be able to read and edit).

Be sure to fill in your name in cell A1.

The spreadsheet has two sections:

• Under General Strategy, describe how you went about looking for exploits. If you did something systematic (ideal), describe it. Not everything has to be systematic; just tell us how you approached the assignment.
• Under Exploits, list the attacks you tried against the system. For each attempt, briefly (few words) describe what you tried, indicate whether your attempt succeeded, and give a couple of words saying how you came up with that attempt (either a step in your systematic process or something you just thought to try). You should also provide the steps for each attack you tried. Your steps should be sufficiently concrete that someone without security experience can follow them to reproduce the attack.

Each attack you list should be qualitatively different. Multiple versions of the same attack will cost you points. Attacks are the same if they exploit the same vulnerability with the same result (ie, both use code injection with the same constructs in the same field to achieve the same goal). If you list multiple attacks that look similar but you think are not, give us a sentence or two of justification.

On the day that the whitebox tests are due, we will review some of the vulnerabilities that you found in class. You are free to draw on the attacks found by other students when you patch the code for the third deadline.

Each attack you list should be qualitatively different. Multiple versions of the same attack will cost you points. Attacks are the same if they exploit the same vulnerability with the same result (ie, both use code injection with the same constructs in the same field to achieve the same goal). If you list multiple attacks that look similar but you think are not, give us a sentence or two of justification.

For the Patch Due Date

Submit a zip file containing edited versions of the source code and a README.txt file. Your README should describe each edit you made at a high level (such as "added filtering to the X input") and the class of attacks that edit is designed to mitigate. Your goal is to fix the code to avoid as many attacks as possible, not just the attacks that you personally identified for the first two deadlines.

Grading

In grading this assignment, we will look for:

• Whether you had a sound attack strategy that covered a reasonable set of possible attacks.
• Whether you were able to construct concrete attacks corresponding to the vulnerabilities listed in your strategy.
• Whether you identified appropriate places and methods to mitigate the potential attacks on the system.

We will not announce a number of attacks that you should aim for because real-world systems don't come with this information. A comprehensive and systematic attack strategy is your best evidence for the quality of your work on this assignment (it also helps us gauge your respective abilities in identifying vulnerabilities and crafting exploits).

Course homepage