Electronic Voting System

Electronic Voting System (Phase IV): Denial of Service

Due: 10:00am Thursday, May 6, 2004

General Instructions. Students are required to work together in groups of size 3 or 4. An assignment submitted on behalf of a "group" having fewer than 3 students will receive a grade of F. All members of the group are responsible for understanding the entire assignment and will receive the same grade.

You need not work in the same group for this phase as you did for Phase III.

No late assignments will be accepted.

Academic Integrity. Collaboration between groups is prohibited and will be treated as a violation of the University's academic integrity code.

Purpose of Assignment

Availability is perhaps the underrated security property. Yet for some systems, preventing a client from accessing the service can be more devastating than revealing a secret or corrupting data. A business cannot survive long without access to customers; a control system becomes impotent when signals don't reach actuators.

This assignment gives you the opportunity to explore vulnerabilities to denial of service attacks that might be present in an electronic voting system. Some will find the different character of the assignment to be refreshing; others will find it frustrating:

The emphasis in the assignment is on analysis and identification of problems---not on writing programs.
Satisfactory defenses might not exist for some of the problems you identify.
You will be working with code that your group did not design and did not implement.

What to Do

Analyze a Phase II implementation built by some other group in CS513 this semester. Pick a group and ask them for a copy of the set of phase II files they submitted for grading. Thereafter, you are barred from having discussions with members of that group or any other group about the system you selected or how it works (or doesn't).

Once you have in hand such a target system, analyze it and identify vulnerabilities the server has to denial of service attacks. Ignore denial of service attacks aimed at the client; ignore denial of service attacks directed at incapacitating infrastructure, like the internet routing structure, the C# language run-time, or the operating system.

For each server vulnerability you identify, we ask that you:

Describe an attack that would exploit the vulnerability and thereby prevent or delay the server from performing some or all of its job. Sketch a program that implements the attack.
Explain how the voting protocols, client code, and/or server code might be modified in order to reduce or eliminate the vulnerability. If you believe the vulnerability cannot be addressed by such modifications, then explain why.
[Optional Extra Credit. Do this only for one vulnerability.] Actually program your defense. Document its effectiveness by running experiments and presenting real data that shows the extent to which your programmed defense succeeds in blunting some interesting class of denial of service attacks.

Submission and Grading

Submission Procedure. Create a .zip file containing the files you wish us to grade. Then submit this .zip file using CMS. Your .zip should contain the following files (at least):

TEAM.txt which contains the names (and net-ids) for all team members. Also, for each team member, give a 1 or 2 paragraph description of the tasks this team member performed and the number of hours this required.

TARGET.txt which contains the names (and net-ids) of the team that wrote the system you chose to analyze for this assignment. No name should appear in both TEAM.txt and in TARGET.txt.

A set of files V (you may choose the names, but they must be txt files) which comprise a vulnerability analysis. Each file F in V should contain an English description of some class of vulnerabilities present in the system you analyzed. Limit yourself to at most 5 such files, by grouping vulnerabilities in a sensible way. If the target system you chose to analyze has too many different vulnerabilities than might naturally be accommodated in 5 files, then you need only treat the 5 most problematic classes of vulnerabilities. The contents of each file should be structured in terms of the following elements.

A section describing the general class of vulnerability (e.g. "memory exhaustion").
A section describing the procedure you used to identify instances of the vulnerability in the target system. Discuss any software tools you employed (including special-purpose tools you wrote) to facilitate this task.
A section listing all instances in the target system code where this vulnerability is present. Feel free to refer to file names and line numbers in the code. (The grader will have access to the code from what was submitted for grading in the previous phase.)
A description of one or more attacks that exercise these vulnerabilities.
A description of how to defend against these attacks or why there is no way to eliminate these vulnerabilities.

VulIndex.txt which contains a list of the names of the files in V. For each file F in that list, give a few sentence summary of the class of vulnerabilities treated in depth within file F. In addition to giving this list of files, describe the methodology you employed to identify classes of vulnerabilities in the target system, and also give an explanation of the methodology you employed to select the 5 you treat in depth.

[Optional Extra Credit] For one file F listed in VulIndex.txt, include a file F.xtra in which you give:

A detailed explanation of changes that you made to the target system in order to eliminate the vulnerabilities that are the subject of file F.
Experiments and measurements that demonstrate the extent to which your new, programmed defenses succeed.

Notice, we are not requesting the code for the modified system. However, we reserve the right to request the code and/or receive a demonstration of your enhanced system so that we can validate performance data or other experimental results you submit for Optional Extra Credit.

Grading. A good job on the Optional Extra Credit will earn at most a few points; but it will double or triple the amount of time you spend on this assignment. The extra credit in this phase is thus designed to be attempted by and challenge the very top students in the class; it is not a sensible way to increase your grade---time spent working on the main body of the assignment will have a higher grade pay-off.

Your grade on the required parts of the assignment is based on the following elements:

Whether you followed a sound and sensible process for hypothesizing vulnerabilities worth investigating in the target system.
Whether you have identified a range of real vulnerabilities in the target system.
Whether you have created sensible groupings of these vulnerabilities.
How credible, accurate, and complete is the procedure you advocate for identifying each of the vulnerabilities within a grouping.
How careful is your characterization of where the vulnerability is present. E.g., could a cs100 student find and understand the problem based on your explanation?
To what extent does the attack you propose exploit the vulnerability? Or, do you argue correctly that no attack would?
To what extent would the defenses you propose eliminate the vulnerability.