Application Competition Rules ============================= Requirements ------------ Your team must publish a working version of the IM application by the "code freeze" date. Beyond this date, you must not make any alterations to your application. The source code and installation instructions for both the client and server. The server component of your system (if applicable) must be installed and running on one of your VM lab systems 48 hours before the competition begins. In addition, you must provide each team (besides your own) with an account to log in on your IM system. The team usernames should be of the form 'teamT' (all lower case) where 'T' is the team number. You must also provide two accounts to the lab TAs (i.e., ta1, ta2). During the competition, you must have at least 3 of your team members logged into your IM application at all times. The lab TA will use this to communicate with your team, and you should use this as your primary form of communication to other teams, unless there is a failure. Use email or other standard forms of messaging only as a backup. Schedule -------- April 9, 2009; 11:59PM Code freeze in effect (send your code to the TA & Instructor) April 10, 2009; 11:59PM All authentication credentials must be provided to the other teams. Teams should begin testing their access to others' applications as soon as they receive credentials. April 12, 2009; 6:00PM All application servers must be functional. April 14, 2009; 6:00PM Competition begins. No DoS attacks allowed. April 14, 2009; 8:30PM Competition continuing, DoS attacks allowed. April 14, 2007; 9:00PM Main competition finished. Bonus points may be obtained for successful attacks on other teams' applications (after 9:00pm). Application servers must be left up to facilitate attacks. You can also run the server of other teams on you own VM and try attacks on it. April 20, 2007; 11:59PM Period of attacks for bonus points concluded. Scoring ------- The security features and completeness of implementation of your IM application will provide your team with a base score. During the competition, you will gain or lose points if you compromise others' protocols or are compromised, respectively. For some specific attacks, the amounts awarded/lost are listed below: - Attack on identity hiding (from the protocol side) +/- 1 point - Denial of Service (IM client or server denied service) +/- 2 points - Compromise of integrity (messages modified in transit w/o detection) +/- 10 points - Compromise of confidentiality (messages divulged) +/- 10 points - Compromise of authentication (session hijacking, credentials cracked, etc) +/- 10 points - Compromise of system-level account (shell injection, file retrieval, etc) +/- 10 points Other types of attacks not listed here may also yield points and will be scored at the instructors discretion based on difficulty. Attacks must be successful in order to yield points. Successful attacks conducted after the end of the main competition will yield bonus points, but in smaller amounts than indicated above. You will not lose any points for being compromised after the main competition period. If your IM implementation or protocol has flaws that you did not have time to fix before the freeze dates, but you know what these are and how you would have fixed them given enough time, document these before the competition. Record all applicable flaws, how they could be exploited, and how you would fix them, and submit this to the instructor *before the competition begins*. This may prevent you from losing some or all of the applicable points if another team exploits these specific flaws. Denial of Service Attacks ------------------------- DoS attacks will only be permitted at the end of the competition. In addition, any DoS attack performed must be limited in scope to a single victim system at a time. Once it is clear that a DoS attack you are using is successful, and you have logged the evidence that it is, you must cease the attack. Finally, you must not use a single successful attack against the same system more than once. There is a gray area in the definition of denial of service which may cause confusion as to whether some attacks are permitted outside of the DoS window. For instance, some failed injection attempts can lead to a DoS. Additionally, many MitM attack techniques can lead to a DoS for some network traffic. In these situations, use your best judgement. You should seek to minimize DoS-like collateral damage when performing attacks early in the competition. If you aren't sure whether a specific attack will cause too much damage, ask a TA or Instructor. Finally, be sure to report any problems that appear to be the result of a DoS against your systems to a TA/Instructor if it occurs outside of the designated DoS attack time. Other Attacks ------------- In this competition, attacks against other teams' IM applications are the only ones allowed. You may use simple tools like port scanners to discover instances of IM applications, but no other attacks are allowed. Focus you attack energies on understanding flaws in others' protocols and implementations. Report ------ In your report document all vulnerabilities that you have discovered. If you could not exploit a vulnerability describe in the detail how you would have done so if you had sufficient time. If you succeeded in completing your attack provide the evidence that supports your claims. Misc ---- If you notice any failures of other teams' systems, or rules violations, report them to that team and CC the instructor and lab TA immediately. Applications are not required to allow users to change their own password. Therefore, you must provide a secure password to all other teams. It must be random and long. If the passwords you provide for other teams to use are weak, these accounts may be compromised and you will lose points for this flaw.