Assignment Quick Links

1. Overview
2. Build It
3. Break It
   1. Coverity details
4. Fix It
5. Oracle
6. Program specifications
   1. logappend
   2. logread
7. Grading
8. Scoring
9. Rules

Build It; Break It; Fix It: Overview

version 1.08 (19 Jan 2022)

In this homework, you will implement a secure log to describe the state of an art gallery: the guests and employees who have entered and left, and persons that are in rooms. The log will be used by two programs. One program, logappend, will append new information to this file, and the other, logread, will read from the file and display the state of the art gallery according to a given query over the log. Both programs will use an authentication token, supplied as a command-line argument, to authenticate each other. Specifications for these two programs and the security model are described in more detail below.

You will build the most secure implementation you can; then you will have the opportunity to attack other teams’ implementations, and fix bugs that other teams identify in your implementation.

This homework has a graded component and a contest component. Please note that your grade for the homework, and your score in the contest are not the same (although they are likely to be correlated). Details of grading and scoring are below. Scoring well in the contest is good for bragging rights and for extra credit.

Setup

You will work in teams of 3 people in groups assigned by us. Your first task is to meet as a team. Your team should decide how often, when, and by what means you will meet. You should also decide on the roles and responsibilities for each member. Please designate one member as the team leader. Last, but not least, you must choose a team name!

Once you have decided on all of the above, the team leader must complete two tasks:

1. Complete this Google Form with all of the information you decided above.
2. Register on our class-specific AutoLab instance (click on the blue “Register” link towards the bottom). When you register for AutoLab, please carefully follow these instructions:
   1. Use your Andrew email address.
   2. Use a brand new password. You must share this password with your group, so do not recycle an existing password!
   3. When asked for your name, use “Team” for the first name, and use your group’s name for the last name.

Grading

See the page for each phase (linked in the Quick Links above) for more details about how each phase will be graded.

Build It will be worth 100 points

Break It will be worth 100 points

Fix It will be worth 50 points

Extra Credit

The assignment as a whole is worth 250 points. The top 50% of teams, based on contest score (see below), will be awarded an additional 10 points (4%). The top 3 of teams will be awarded an additional 5/3/1 point(s) respectively. The very top team will also receive adulation and eternal bragging rights.

Contest Scoring

To add an element of fun to the assignment, we will also be collecting scores for the Build It; Break It; Fix It contest. In each phase, your team will earn/lose points. You can see your (near) realtime standing on our Scoreboard.

Note that you are more than welcome to ignore the contest entirely. You can still get full credit for the assignment.

You’ll find more details about each phase in their dedicated pages. Here, we summarize the overall scoring system.

• In the Build It phase, your team receives 25 points for each functionality test passed.
• In the Break It phase, there are four types of breaks. Correctness breaks are worth 25 points, crash breaks are worth 50 points, and confidentiality and integrity breaks are each worth 100 points. Each time you find a break against another team, you gain the corresponding number of points, and they lose the same number.
• In the Fix It phase, you can identify breaks from multiple teams that all targeted the same bug/vulnerability and then fixing it. If T teams all exploited the same bug with a break type worth P points, then in the Break It phase, you lost T*P points. In this phase, if you fix the underlying bug, you will regain (T-1)*P points, so that in effect, you will have only lost points once for the bug, rather than T times.

Your final score (and hence final contest standing) will be the sum of your scores from all three phases.

Rules

General

• Do not hack the contest’s infrastructure, or you will fail the assignment.
• Each teams must do their own work and not share solutions with other teams.

Build It

• Do not obfuscate the source code in your submissions or you will not get credit for the assignment.
• Make sure that your Build It build and submission are reasonably efficient. Each test must complete within at most 60 seconds, and the entire build plus test process must take less than 7 minutes or your submission will time out.

Break It

• You may submit at most 10 breaks per team, and your breaks can only target a total of at most 8 teams. The AutoLab infrastructure will enforce these limits.

Fix It

• Each fix may only target one underlying bug. Multiple bugs must be addressed via multiple fixes.