CSCI 379 Topics in Computer Science - Spring 2006
Fundamentals of Computer Security
Homework 5
(Teams of 2 students)
Goals:
- Build
upon the dirhash program developed previously to construct a system to
track modifications to a set of files.
This assigment builds upon the
dirhash
you wrote for
Homework 4 and represent our
final step toward
constructing a program which can be used to monitor modifications to a
set of files.
Your main goal in this assignment is to create a program called
boobytrap
which takes as input a configuration file that lists all the
directories or standalone file that are to be monitored for integrity.
The program will produce hashes for all the files indicated in the
configuration file and store the results in a file formatted according
to specifications for dirhash in
Homework 4.
(Remember that you use
HMACs in
dirhash
and that somewhere, somehow, you will need to allow
the user of
boobytrap
to define the passphrase to apply in the hashing process.)
In pursuing this
goal you must continue to follow the best practices guidelines for
secure programming.
- Apply the
best practices of secure programming discussed in class.
Setup
This project must be developed
in a Linux workstation. It is highly recommended
that you work in one of the lab machines in B164 or B167. Create a
directory for your work called boobytrap
and use it to store all the files in your project. Your directory must
contain a Makefile
that builds the executable boobytrap.
In this Makefile
you must have a rule called clean,
which remove the executable, all core dump files, all object files, and
any other "save" files (those with names that start with # or end with
~) that your editor may have created. Remember to run make
clean on this directory before you build a tarball for
submission!
Specifications
You're "mostly" on your own
to define the specifications this time. There are a few minimal
requirements that your program will have to satisfy:
- boobytrap
must receive as command-line argument from the user the path to a
configuration file to use. The precise format of the configuration file
is for you to define, but it should consist, at the very least, of a
list of the files to be monitored. In this list, some entries may be
file objects while other may be directories. For example:
/bin/cat
(file)
/bin/chmod
(file)
/bin/tcsh
(file)
/usr/bin
(directory)
/sbin
(directory)
- boobytrap
must receive as command-line argument switches indicating the names of
the files to use and what kind of action it must perform. The following
syntax is suggested:
-g:
Generate the encrypted, digitally signed hash database. (default)
-i:
Name of the input configuration file. (default:
boobytrap.conf)
-o:
Name of the hash database file produced as output. (default:
boobytrap.db)
-d:
Decrypt the database file indicated and display on the standard output.
-c:
Compare the two database files indicated and display the results on the
standard output.
Examples of valid usage:
- boobytrap
-g -i myconf -o mydb (the configuration file is called myconf
and mydb
is the output database file).
- boobytrap
-c mydb1 mydb2 (mydb1
and mydb2
are two hash databases to compare).
- boobytrap
-d mydb (mydb1
is
decrypted and displayed on the standard output).
- The passphrase used in the HMAC to generate file hashes must be
read from the keyboard rather than stored anywhere (e.g. in the
program or
in environment variables). (You can
score bonus points if instead of
displaying on the screen the passphrase the user types, you show one '*'
per character entered.)
- The output database file produced must be digitally signed using a
passphrase that is different from that which is used to generate file
hashes. (You should call GPG to perform this step for you using the system
call as indicated below.)
- After the output database file is digitally signed, it must be
encrypted.
The user of boobytrap
will supply the encryption key
interactively when the program is run. That means, the encryption key
is not to be stored in the program. (Counting all the specifications so
far, you will have to deal with three different
passphrases.) You can choose what cipher to
use and you can also choose how you will
call the cipher. One alternative is to use the openssl
tool to do the encryption of the digitally signed output file as in the
example below:
openssl
enc -e -salt -des-cbc -in dbfile -out dbfile.enc -pass pass:PASSPHRASE
In order to have boobytrap
make a call to another program, you will have to use something like the
system
call (look in section 3 of the Linux manual), which can create security
exposures if not used properly. (Do some research to discover what the
risks are.) (You can score bonus
points if instead of using the system
call, you use directly OpenSSL's API for file encryption.)
- In order to compare two hash databases, you can use the Unix diff
utility. Note that in order to display human intelligible text on the
standard output with the differences found, you would have to decrypt
the files before diffing
them. Think before you jump, though, and decide whether there are any
risks in decrypting the files, what names you should give them, etc.
Hand In
A tarball with your source code sent to the instructor by e-mail. Make
sure to use a Makefile
to build your code and to include it in your
tarball. If you have dificulties creating a Makefile
see your
instructor as soon as possible.
Expectations
- User manual
explaining how one runs your program: 10% of grade.
- Programmer's
manual explaining how you structured your program (think block
diagram and specification of the interfaces between components),
what you have done to make your program secure, and risk
assessment (any known security
exposures it may have): 10% of grade.
- Conformance
to specifications for user interface:
10% of grade.
- Correct
functionality: 40% of grade.
- Program
security: 20% of grade.
- Improvements
to specifications (innovations): 10% of grade.
- Bonus: 5% extra credit
for using the OpenSSL API for
encryption/decryption.
- Bonus: 5% extra credit
for not echoing passphrases to the
terminal
Recommendations
- Start early. Leaving it for the last minute will definitely cause
trouble for you and probably for the instructor, as well. This
assignment is not hard, but requires careful thinking and programming.
Most of it has been completed in Homework 3 and
Homework 4, but don't expect that it will
take only a couple of hours to build in the additional functionality.
- Test your program thoroughly and incrementally. If it bombs when
doing anything outlined in the specifications above, you can't expect
to receive top marks in correct
functionality.
- Go through your notes from the secure programming discussion. Try
to adopt the practices we discussed and make sure to show evidence that
you did so in your documentation.
- Keep in mind all we discussed about program security when you
design your program. Input validation is essential. Graceful
degradation and failing safely are recommended practices. Give the user
helpful error messages and abort the program when an unexpected
condition presents itself.