Due by 9PM Wednesday, March 13
- Completed VM. Please deliver in the usual way via
the computer in Olin 302. Put your implementation in
/Users/Shared/SecurityComps/YOUR_TEAM_SHORT_NAME/implementation3
. - Walkthrough. Put your walkthrough PDF or a link to your
video in your GitHub repo, under
walkthrough/
. - End-of-comps survey. I'll post this by Monday 3/4.
Walkthrough guidance
- At minimum, I want to be able to fire up your VM, open your walkthrough, and follow the steps detailed in your walkthrough to end up as root on your VM. Describe the attack steps clearly and concisely. Use screenshots as appropriate.
- Please include in your attack step descriptions some idea of how an attacker could infer (or at least plausibly guess) that a particular attack might work. For example, what about a particular website might give me a hint that SQL injection might be possible? Or how might I determine the version of Linux running on the target, which might suggest to me that certain kernel bugs might be in play? etc.
- Ideally, as a student working through your VM as an exercise, I would like to learn some of the theory behind the vulnerabilities you have implemented. You could help me by pointing me to the very best online resources on the subject (with a little annotation to help me choose which links to prioritize). You could also show me diagrams or examples that illuminate the topic beyond the exact attack that works on your VM. But of course, this kind of exposition could range from just a list of a few handy links up to dozens of pages of detail. Try to find a middle ground that fits your available time but doesn't just leave the readers to Google it themselves.
The last week in class
Some people have asked whether we get to attack each other's machines. I would love to be able to spend a little time in class on that. Alternatively, we had talked about doing "speed runs" of the attacks. I have some ideas about how we might pursue this. We'll talk about it in class today (3/1).
In any case, as soon as you have your VMs ready to go, put them on the Olin 302 machine and let the rest of us know in #general on Slack. I'm really looking forward to testing out your work.