Application Competition/Security Analysis Rules ============================= Requirements ------------ Your team must publish a working version of the IM application by the "code freeze" date. Beyond this date, you must not make any alterations to your application. The source code and installation instructions for both the client and server (if applicable) must be sent to the TA and instructor by the same date. Your submission should include a clear README on how to install the application (both the server and the client). The installation should allow for at least 3 users. The README should indicate the usernames and passwords of the authorized users. Schedule -------- December 6, 2012; 11:59PM (50% penalty per day late) Code freeze in effect. All application code must be submitted. All authentication credentials must be submitted (in README). Deliverables: 1) Source code including installation instructions 2) Users credentials to your system (in README) December 10, 2012; Final Presentations Deliverables: Final Report (due at time of presentation) Scoring ------- The security features and completeness of implementation of your IM application will provide your team with a base score. During the competition, you will gain or lose points if you compromise others' protocols or are compromised, respectively. For some specific attacks, the amounts awarded/lost are listed below: - Attack on identity hiding (from the protocol side) ± 1 point - Denial of Service (IM client or server denied service) ± 2 points - Compromise of integrity (messages modified in transit w/o detection) ± 10 points - Compromise of confidentiality (messages divulged) ± 10 points - Compromise of authentication (session hijacking, credentials cracked, etc) ± 10 points Other types of attacks not listed here may also yield points and will be scored at the instructors discretion based on difficulty. Attacks must be successful in order to yield points. To get full points, the attacks should be performed on an instance of other teams servers/clients installed locally on your computers. If your IM implementation or protocol has flaws that you did not have time to fix before the freeze dates, but you know what these are and how you would have fixed them given enough time, document these before the competition. Record all applicable flaws, how they could be exploited, and how you would fix them, and submit this to the instructor *before the competition begins*. This may prevent you from losing some or all of the applicable points if another team exploits these specific flaws. Report ------ In your report document all vulnerabilities that you have discovered. If you could not exploit a vulnerability describe in the detail how you would have done so if you had sufficient time. If you succeeded in completing your provide the evidence that supports your claims.