20-CS-6056 Security Vulnerability Assessment Spring 2020

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

Vulnerabilities Contest

This is a contest of attack and defense. The contest begins at 8AM on April 21 and ends in the evening of April 23. Prizes for winners: $150 for 1st place (as measured by number of points), $100 for second place, $50 for third place. It is OK for groups to form and work together to trade for resources so as to be able to build weapons, vehicles, and computers or to manipulate the market value of raw materials and finished products.

You grade depends on both the outcome of the contest and a final report. The weighting is 25% contest, 75% final report. See below for specifics.

The final report is due 11:59PM, May 1 (OK, if you are a little late and I have some other reports to read I will still accept it).

I assume you are running the Client in a VM to avoid damage to your host OS.

Rules of Engagement:

  • It is not OK to attempt to break out of the VPN network. That is, team members should stick to poking IP address 10.8.0.XX where XX is a number from 50 to 99.
  • If a VM is compromised (that is, password is discovered and opposing team can enter the VM and become root) it is not OK to attempt to open a connection to UC's network from the compromised VM.
  • It is OK to attack during the contest only.
  • Recovery using a snapshot violates the spirit of the contest but if you must, please ask permission from me first.
  • It is OK to transfer files between the host OS and the VM but not between the VM and a UC node.
  • Points are deducted from the final score where the final report indicates an attack that was actually benign traffic or has no mention of an attack that occurred.
  • It is OK to add or remove packages from the VM. For example, you may want to add some analysis tools and remove some potentially dangerous packages that are not needed.
  • If you do something that is not OK points will be taken away from your final contest score which is 40% of your grade in the course.

Contest (25%):
If you have not competed you get no score from the contest contribution. If your activity in the contest is low, you will get a low score from the contest portion of the grade. I will not assign a number to what constitutes low activity to prevent some minimalists from reaching that number and then leaving the contest. If you are generally active in the contest, and throughout the contest, you will get a high score even if you wealth is stolen. But, if your identity has been stolen and you give up getting it back, then a low score will result for you. To get your identity back email a request to me and I will send your current password and cookie to you. It is OK to ask for your password and cookie a few times. If you are asking for password and cookie regularly then that will affect the final contest score because it shows you are doing nothing about having your identity stolen.

Final Report (75%):
The grade for the contest depends mainly on the final report that you submit. It is OK for several people to submit a report together if they worked together during the contest. The report should include the following sections:

  1. Preparation: state the result of any analysis you did before the contest. Include the following subsections:
    • vulnerabilities discovered in the monitor source code.
    • vulnerabilities discovered in the client source code.
    • vulnerabilities discovered in the contest communication protocol.
    • vulnerabilities in the network.
  2. Attack: state and describe the attacks you made on opponents. State who the opponents were and the times the attacks were launched. State whether the attacks were successful. State the outcome of the attacks: for example, was some client or monitor fooled into transferring wealth to you or did you steal wealth, or did you cause an opponent's wealth to disappear from the contest?
  3. Defense: describe how you prevented attacks from succeeding (perhaps you used a firewall with specific rules - but there are lots of other ways). State when attacks took place. State where the attack came from (ip address). State the outcome of attacks (did you succeed or did you lose wealth or were you blocked from transferring wealth or receiving wealth from the monitor?). State the time attacks took place.
  4. Learned: state what was learned. Was there anything you discovered during the contest that is worthy of note (restricted to vulnerabilities). Is there something you would do differently next time to protect yourself or to attack?