Information Assurance

Information Assurance

back to projects page

You have already written a program that provides password access to a file on the class linux system. Now you are going to revise your project, taking into account the feedback you received from your classmates as well as the things we are learning about secure programming. You should definitely be checking to make sure that your programs are secure against buffer overflows and other malicious input. The goals again are the same, but you will be graded on the security of your program. Any vulnerability will be bad, Bad, BAD for your grade. This is the major part of a continuing assignment, and will constitute a significant portion of your grade for the Projects part of the semester.

I will be installing a static analysis tool that will help you audit your code; I will send mail to the class when I have finished doing so.

I have provided yet another secret id for this assignment, referred to as your yasecretid. You will find it in the file named yasecretid in your normal user account. Notice it has 4 trailing hex digits. Place your code and do your testing in this account when done.

Write a secure suid program that will allow others to access a file in your account on ia-class.

• Your program should be named <yasecretid>.exe. Even though linix ignores the .exe suffix, we will use that to identify which is the executable.
• It should read a password from a user who runs the program.
• If the password is valid, print the contents of an existing file named <yasecretid>.txt.
• Your program will also log who accessed <yasecretid>.txt in another file named <yasecretid>.log
• Rather than have a single password for file access, you will have separate passwords that can be issued to different possible users.
• You can use only passwords as identifiers, or you can assign each user a name at your discretion.
• Provide a mechanism for adding and removing users who may access the file. This does not have to be fancy, and can be part of your suid program, or can be some simple mechanism like hand-editing a configuration file.
• If you use a configuration file, it should be named <yasecretid>.cfg.

To test your program, you can suid it to your own name and run it yourself from your secretid account. To make your program suid:

• Make sure it is executable by doing chmod a+x <yasecretid>.exe
• Make it suid by doing chmod +s <yasecretid>.exe

When done testing it, I recommend that you unset the suid bit by doing chmod -s <yasecretid>.exe. This is more secure for the files in your account.

What to turn in:

First, you will create a separate directory in your account on ia-class named NETID-project5 where NETID is your login. Place in this directory a copy of the source code, the executable, the text file to be accessed, and any configuration files required. Do not include any object files you create.

Second, You will mail the instructor a tar file of this directory. You can create this by using the command:

tar -cf NETID.tar NETID-project5

Projects are due before class on November 3rd.

Place in your NEW secret id account ( the one with four trailing hex digits, not the old one, which will be deleted):

• Your executable code. This should have the suid bit set, and should be world readable and executable.
• If you use a config file, there should be 10 working accounts and passwords within. You DO NOT have to use swordfish for any of these accounts. You should be able to prove they are working.
• You source code, with any identifying information such as name or netid removed. This should be world readable.
• If you have chosen to use a configuration file it should be world readable.
• A log file. It does not need to have any entries when started. It should be world readable.
• The secret file people are trying to get access to. This should not be world readable. Choose some phrase to put in there. It isn't too important what it is, but keep it under 126 characters.