Application Competition Rules ============================= Requirements ------------ Your team must publish a working version of the IM application by the "code freeze" date. Beyond this date, you must not make any alterations to your application. The source code and installation instructions for both the client and server (if applicable) must be sent to the TA and instructor by the same date. The server component of your system (if applicable) must be installed and running on one of your VM lab systems by the time indicated in the schedule below. In addition, you must provide each team (besides your own) with two accounts to log in on your IM system. The team usernames should be of the form 'teamT{1|2}' (all lower case) where 'T' is the team number. You must also provide two accounts for the TA. Schedule -------- December 11, 2009; 11:59PM (50% penalty per day) Code freeze in effect (send your code to the TA & Instructor) All application code must be posted to the team websites in the lab. All authentication credentials must be provided to the other teams. Teams should begin testing their access to others' applications as soon as they receive credentials. All application servers must be functional. Competition begins. December 14, 2009; 6:00PM Competition Finishes Final Report Due Scoring ------- The security features and completeness of implementation of your IM application will provide your team with a base score. During the competition, you will gain or lose points if you compromise others' protocols or are compromised, respectively. For some specific attacks, the amounts awarded/lost are listed below: - Attack on identity hiding (from the protocol side) ± 1 point - Denial of Service (IM client or server denied service) ± 2 points - Compromise of integrity (messages modified in transit w/o detection) ± 10 points - Compromise of confidentiality (messages divulged) ± 10 points - Compromise of authentication (session hijacking, credentials cracked, etc) ± 10 points Other types of attacks not listed here may also yield points and will be scored at the instructors discretion based on difficulty. Attacks must be successful in order to yield points. The attacks may be performed on: (1) the deployed team servers, or (2) an instance of other teams servers/clients installed locally within your team If your IM implementation or protocol has flaws that you did not have time to fix before the freeze dates, but you know what these are and how you would have fixed them given enough time, document these before the competition. Record all applicable flaws, how they could be exploited, and how you would fix them, and submit this to the instructor *before the competition begins*. This may prevent you from losing some or all of the applicable points if another team exploits these specific flaws. Denial of Service Attacks ------------------------- In addition, any DoS attack performed must be limited in scope to a single victim system at a time. Once it is clear that a DoS attack you are using is successful, and you have logged the evidence that it is, you must cease the attack. Finally, you must not use a single successful attack against the same system more than once. You must document every step necessary to reproduce the attack if successful, and must show it to the intructor or the lab TA within 24hours of the report being due. There is a gray area in the definition of denial of service which may cause confusion as to whether some attacks are permitted outside of the DoS window. For instance, some failed injection attempts can lead to a DoS. Additionally, many MitM attack techniques can lead to a DoS for some network traffic. In these situations, use your best judgement. You should seek to minimize DoS-like collateral damage when performing attacks early in the competition. If you aren't sure whether a specific attack will cause too much damage, ask a TA or Instructor. Finally, be sure to report any problems that appear to be the result of a DoS against your systems to a TA/Instructor if it occurs outside of the designated DoS attack time. Other Attacks ------------- In this competition, attacks against other teams' IM applications are the only ones allowed. You may use simple tools like port scanners to discover instances of IM applications, but no other attacks are allowed. Focus you attack energies on understanding flaws in others' protocols and implementations. Report ------ In your report document all vulnerabilities that you have discovered. If you could not exploit a vulnerability describe in the detail how you would have done so if you had sufficient time. If you succeeded in completing your provide the evidence that supports your claims. Misc ---- If you notice any failures of other teams' systems, or rules violations, report them to that team and CC the instructor and lab TA immediately. Applications are not required to allow users to change their own password. Therefore, you must provide a secure password to all other teams. It must be random and long. If the passwords you provide for other teams to use are weak, these accounts may be compromised and you will lose points for this flaw.