-
Notifications
You must be signed in to change notification settings - Fork 20
FinalExam
The final exam is a combination of lab-work and write-up. Although some parts of the "labwork" can be performed as a team, the final exam submission is individual. Your submission is due by 9:00PM on MAY 8. That is the scheduled final exam time for our class and the university requires that all course work must be submitted by that time. Please do not ask for an extension as I am not allowed to give one.
Your submission will be a written paper with two sections and of approximately 2-5 pages. There is no official minimum or maximum but 2-5 pages is a good estimate. Please refer to the details below.
Part 1 of your exam is to detail how much you contributed this year to the development of lab's 0, 1, and 2. You should provide a description of what you contributed and your approximation of how much of the overall project you contributed calculated as a percentage. For example, if everyone in a five person group contributed equally, each person's percentage would be 20%.
Contributions can include many things including:
- writing source code for lab functionality
- writing unit tests for testing lab code
- other testing/debugging of code
- designing algorithms, features, etc
- PRFC drafting, editing, fixing
- interacting with other teams for collaboration
Any activity where you personally contributed to the forward progress of your team counts, but there must actually be a contribution. If, for example, the team had a session around a white-board designing an algorithm you can only include that in your list if you were making suggestions, asking questions, or otherwise "contributing" to the team session. If you were "team programming" (two or more team members sitting around a single computer screen), you can only include that in your list if you were actively assisting. Even if you contributed, if it was significantly less than others, you should reduce the time you include in your personal list. If it was a one hour meeting, and you only offered a few thoughts her and there, list your time as 15 minutes or something sensible.
These numbers are obviously subjective, but be as honest and as fair as you can. Where objective measures exist, include them. If there are github commits that are entirely yours, list them. If there are algorithms for which you are the primary creator, include that information. If you wrote a bunch of unit test cases, say so.
Once you have put together your part 1 section, you must submit it for review by your team. If they disagree with you, you should consider revising your submission. However, this is not required and you should still submit what you believe is accurate and fair. But you must include an entry for how much each team member feels you contributed. So the final section of your part 1 section should look like this:
Jane Doe: 15%
John Doe: 25%
Joe Smith: 20%
Sally Forth: 20%
Your job in this section is to come up with some kind of attack on PLS Roast, implement an attack, and test it on other team implementations (embodied in their servers).
This might sound complicated, but there is a very easy approach to try if you don't want to spend time analyzing the cryptography. Our PLS Roast implementations should verify that a certificate chain is correct. I have not fully specified what correct is because I want you to think about it. Only a few requirements have been listed explicitly and some other described or hinted at in class.
The easiest way to complete this part of the exam is to create a certificate or certificate chain that is incorrect in some way. You can deploy the incorrect cert/cert chain by creating and using a different cert_factory.py that returns the bad cert/cert chain and connecting to the victim server. If the handshake completes, you have found a vulnerability! If it does not complete, the server is not vulnerable to your attack. This entire process could take as little as an hour.
Your write-up should detail exactly what your testing for, which servers you tested it against, and the results.
This exam will be submitted by email. Create your report (don't forget to include your teammates' endorsements for section 1) in either Word or PDF. Send to both the professor and the TA.
Each section is worth 25 points. Section 1 will be graded based on how much you contributed to your team. If you contributed 20% (an equal share), you will get 25 points. Your score will go up or down if your contributions were higher or lower. If there is a significant discrepancy between your numbers and your team's endorsements, we will contact you to make a determination for scoring.
Section 2 is 10 points for describing a reasonable attack and 15 points for test results. If you find and test a vulnerability that is beyond simple certificate checking, we will award up to 50 bonus points at our discretion. You may email us first if you have an idea and would like to know if we think it is valuable.