The course staff have implemented a web-based gradebook (called TurnOut) for this course. By default, everyone is listed as getting an NR. Your task is twofold: first, to break into the system to give yourself the grade you're aiming for in this class; second, to fix the system to prevent attacks.

There are three separate deliverables for this project, each due at the start of class (via web-Turnin) on the specified date:

• For Monday, March 23: Attack TurnOut blackbox (ie, without looking at the source code)
• For Thursday, March 26: Attack TurnOut whitebox (ie, with looking at the source code)
• For Tuesday, March 31: Submit a patched (secure) implementation

TurnOut-web is running in the VMware image for this class. You may either work in the Fossil Lab in Fuller or setup the image on your home machine. To access the image, see the Turnout Setup Manual. If you've never used the Fossil lab before, you might find this description (from another course) handy. Post to the discussion board with any questions about getting started. We will get you Fossil lab passwords early in the first week of the term.

For the Attack Due Dates

Turn in a text file (raw text please, NOT doc/pdf/etc) with two main parts: a description of your attack strategy (what you looked for and what you tried) and a list of attacks you launched against the system. For each attack:

1. Give concrete instructions to conduct it (we should be able to follow your steps exactly to reproduce the attack).
2. Indicate whether the attack was successful.
3. For the whitebox attacks, if an attack was inspired by the code instead of your attack strategy, also indicate what you saw in the code that led you to construct the attack.

Each attack you list should be qualitatively different. Multiple versions of the same attack will cost you points. Attacks are the same if they exploit the same vulnerability with the same result (ie, both use code injection with the same constructs in the same field to edit the same student's grade). If you list multiple attacks that look similar but you think are not, give us a sentence or two of justification.

On the Thursday that the whitebox tests are due, we will review multiple students' attack strategies and lists in class. You are free to draw on the attacks found by other students when you patch the code for the third deadline.

For the Patch Due Date

Submit a zip file containing edited versions of the source code and a README.txt file. Your README should describe each edit you made at a high level (such as "added filtering to the X input") and the class of attacks that edit is designed to mitigate. Your goal is to fix the code to avoid as many attacks as possible, not just the attacks that you personally identified for the first two deadlines.

On the day that patches are due, we will review multiple students' edited code in class.

Grading

In grading this assignment, we will look for:

• Whether you had a sound attack strategy that covered a reasonable set of possible attacks.
• Whether you were able to construct concrete attacks corresponding to the vulnerabilities listed in your strategy.
• Whether you identified appropriate places and methods to mitigate the potential attacks on the system.

We will not announce a number of attacks that you should aim for because real-world systems don't come with this information. A comprehensive and systematic attack strategy is your best evidence for the quality of your work on this assignment (it also helps us gauge your respective abilities in identifying vulnerabilities and crafting exploits).

Course homepage