A prof and 2 TAs all want to be able to modify a gradebook so they want to store it on a public cloud as opposed to locally. However they do not trust the security of the cloud. Therefore, each time they want to modify the gradebook, they will download it, modify it on their local computer and re-upload it (you may assume that they always download/modify/upload the gradebook one at a time). They will create a wrapper program that is run on their local computers. The wrapper program will have three components (1)setup
which will initialize a new gradebook with a specified name and will generate a single key that allows access to the gradebook for authorized parties. Copies of the same key will be stored locally on the computers of the Prof and TAs. (2)gradebookadd
, which will allow adding a new student or assignment, or entering a new grade for a student and assignment already contained in the gradebook (3)gradebookdisplay
, which provides a few ways in which students' grades can be printed out. Before executing an add or display query, bothgradebookadd
andgradebookdisplay
will check whether the gradebook has been modified by an unauthorized party who does not hold the key that is associated with the gradebook. If such ``tampering'' is detected, an error message will be printed out.
Your goal is to write a secure wrapper program that prevents an attacker, who does not have the key, from learning information about the contents of the gradebook (privacy) or from modifying the gradebook without being detected (integrity). The threat model assumes that the cloud is fully compromised, allowing an attacker to read or modify any files stored there.
Your program will be evaluated based oncorrectnesstests we run on it, the design document you submit justifying your design choices, and whether other students successfully attack your code during the Break-It phase (In the Break-It phase, you will receive points for a successful attack on other students' implementations, but will not lose points for other students' attacks on your implementation. Extra credit may be assigned (based on the Instructors' discretion) for submissions that perform well during the Break-It phase). During Break-It, a successful attack launched in the above threat model (where only the cloud is compromised) will automatically receive points. Attacks that require access to the local computers of the Prof and/or TAs will be considered on a case-by-case basis. In particular, students need to explain why their attack is made possible by a vulnerability in the gradebook wrapper program itself (as opposed to an attack that is always possible, even when there is no vulnerability in the wrapper program, such as stealing the key). E.g if a malformed input to the wrapper program causes a buffer overflow that can be used to perform code injection, this would be a valid exploit.
You will build the most secure implementation you can; then you will have the opportunity to attack other students' implementations.
You will write your implementation in C. There is some basic starting code available. There are example makefiles available.
You will design a gradebook format and implementsetup
as well as bothgradebookadd
andgradebookdisplay
to use it. Each program's description is linked below.
- The
setup
program generates a key and an empty gradebook with a specified name. The program returns the key to the user.
- The
gradebookadd
program receives as input the name of a gradebook and a key. Thegradebookadd program adds data to a gradebook
- The
gradebookdisplay
program receives as input the name of a gradebook and a key. Thegradebookdisplay
program displays data from the log