Project 4 (Build it) Due 11/25 @10:59am
Project 5 (Break it) Due 12/9 @10:59am
In this project, you will implement a secure log to describe the state
of an art gallery: The guests and employees who have entered and left,
and persons that are in rooms.
In the setup phase, a cryptographic key will be generated and associated
with a particular log. Subsequently, the cryptographic key will
be used by the legitimate parties who modify and/or read the log.
Specifically, after the setup phase, the log can be accessed by a legitimate party who holds the key via two
programs. One program, logappend
, will append new information to the log file,
and the other, logread
, will read from the file and display the state of the art
gallery according to a given query over the log. We call the cryptographic key used by both programs the
"authentication token," and it is supplied as a command-line argument, by
a legitimate party who runs logappend and logread.
Specifications for these two programs and the security model are described in more
detail below.
You will build the most secure implementation you can; then you will have the opportunity to attack other students' implementations.
You will write your implementation in C. There is some basic starting code available. There are example makefiles available.
Project 4: Build it
You should submit via Canvas:
Project 5: Break it
We will assign you three students' implementations to examine. You should submit via Canvas:
If you demonstrate a working security break, then your vulnerability analysis document only needs to include your description of that one vulnerability, you don't need to go any further.
If one of your assigned implementations doesn't work well enough to analyze, please request an alternate implementation from an instructor.
Project 4 will be worth 100 points:
Project 5 will be worth 100 points:
You will design a log format and implement setup
as well as both logappend
and
logread
to use it. Each program's description is linked below.
setup
program generates an authentication token (i.e. a cryptographic key) and an empty log file with a specified name. The program returns the key to the user.logappend
program receives as input the name of a logfile and an authentication token. The logappend
program appends data to a log logread
program receives as input the name of a logfile and an authentication token. The logread
program reads and queries data from the log logread
contains a number of features that are optional. If you do not implement an optional feature, be sure to print unimplemented
to standard output.
Look at the page of examples for examples of using the logappend
and logread
tools together.
The system as a whole must guarantee the privacy and integrity of the log in
the presence of an adversary that does not know the authentication token. This token
is used by both the logappend
and logread
tools, specified on the command
line. Without knowledge of the token an attacker should not be able to:
logread
or otherwise learn facts
about the names of guests, employees, room numbers, or times by
inspecting the log itselflogappend
. logread
or logappend
into accepting a bogus file. In
particular, modifications made to the log by means other than correct use of logappend
should be detected by (subsequent calls to) logread
or logappend
when the correct token is supplied
To allow for formal modeling, we assume two types of objects: a token object and a file object. A token object consists of the value of the token. A file object consists of the name of the file and the payload (i.e. the file itself). We assume that the setup
algorithm takes as input a file name and outputs a token and file object. The logappend
algorithm takes as input a token and file object as well as additional arguments. The logread
algorithm takes as input a token and file object as well as additional arguments.
setup
, name) to the Challenger.
setup
with argument name
and generates a token object T and a file object F (initialized
with the correct name).
The Challenger sends F back to the Attacker.
logappend
requests with any file F' and arguments A of its choice
by sending (logappend
, F', A) to the Challenger.
After each request, the Challenger runs logappend
with token T, file F' and arguments A.
If the output is ``invalid'', the Challenger returns
``invalid'' to the attacker. Otherwise, the Challenger
returns the updated file F'' output by logappend
.
logread
or logappend
with token T and
file F* does not return ``invalid.'' No efficient attacker should be able to win the game
with non-negligible probability. setup
, name) to the Challenger.
setup
with argument name
and generates a token object T and a file object F (initialized
with the correct name).
The Challenger sends F back to the Attacker.
logappend
requests with a file object F' and a pair of
arguments (A^i_0, A^i_1), by sending
(logappend
, F', (A^i_0, A^i_1)) to the Challenger.
After each request, the Challenger runs
logappend
with token T, file F' and arguments A^i_b.
If the output is ``invalid'', the Challenger returns
``invalid'' to the Attacker. Otherwise, the Challenger
returns the updated file F'' output by logappend
to the attacker.
logread
program.
These requests will consist of a file F' and additional arguments A' (i.e.
logread
, F', A') will be sent to the Challenger).
The Challenger will run logread
with the token T, file F' and the additional arguments A'
and return the output to the Attacker.
Now, an Attacker can trivially distinguish
whether the logappend
commands are being run with
arguments (A^1_0, A^2_0, ...) or (A^1_1, A^2_1, ...)
in the case that the correct (logread
output differs with respect to the
these sequences of logappend
requests.
However, the security definition still makes sense if we restrict the attacker to sequences of arguments
(A^1_0, A^2_0, ...), (A^1_1, A^2_1, ...)
for logappend
and sequences of arguments for logread
for which in an ideal implementation the output sequence
produced from logread
would be identical when the logappend
sequence is
(A^1_0, A^2_0, ...) vs. (A^1_1, A^2_1, ...).
In particular, this is the case for any sequence of (A^1_0, A^2_0, ...) and (A^1_1, A^2_1, ...), as long as
logread
is never called! This is equivalent to the simpler security game we specified above.