CS 600.443 Spring, 2005 Assignment #1 Part I is due on February 24. Part II is due on March 10. Selected presentations on 3/24 This assignment is to be done individually. You may not discuss this with any other students. All the work must be your own, but you may use publicly available code and libraries if you like. However, all of the code related to the exploit must be original for this project. Wherever you use something that you did not develop for this assignment, you must document that fact. Part I: The Exploit You work for a brokerage firm. Your job is to design the web interface to the stock trading software. Unfortunately, you have built up some heavy gambling debts, and you are completely broke. To avoid having big guys with lead pipes break your knees, you decide to steal from your employer in a sneaky way. You are going to put a secret "back door" in the web code that will enable you to do your evil deed later over the Internet. Design and build a web interface to a brokerage house. You should write CGI scripts that handle user inputs for trading and account registration. You should design the look and feel of the site and fake all the functionality. You can use any software or programming environment you like, but the web server must be Apache or IIS. The goals of your malicious code are: 1. It should not be obvious to someone inspecting the code that there is a back door. 2. The back door should allow you to control the server and or manipulate data on the server remotely. The more access, the better. 3. The code should be well documented, and there should be external documentation explaining how it works. What to turn in for Part I: 1. A write-up explaining the philosophy behind your malicious code, how it is implemented and how it works. (max 2 pages) 2. Prepare a software distribution on a CD ROM that contains the following. a. All of the code. b. All libraries and third party software needed to run the system, except for the web server itself. c. A detailed README file explaining how to install the software. You will turn in TWO copies of the CD ROM. One will be used for grading and the other in part II of the project. Part II: The Code Analysis Your new job at the brokerage firm is software quality assurance. You will be handed the software that is used to manage the brokerage firm and will perform a safety and security analysis of the code. 1. You will be assigned a partner in the class. 2. Give the partner your distribution on the CD ROM and take theirs. 3. Analyze their code, run it, and read their documentation. The goal is to try to find the back door. Also, identify areas of weakness or problem in the code. 4. Write a report about your findings (max 4 pages). Indicate any problems you found or areas of suspicion. Give the project one of the following grades: PASS: A, B or C FAIL: explain why PROBLEMATIC, but fixable SECURITY VIOLATION: arrest this programmer (justify) Selected Presentations: 6 or 7 of the better projects will be selected for 10 minutes presentations to the class on 3/24. Presentations should include a description of the back door and a demo, as well as the analysis that was done of the other system. ----- Grade sheet: Part I Cleverness of the exploit: _________ (10 points) Quality of the writeup:___________ (5 points) Implementation:________________ (20 points) Ease of installation, readability:_____________ (5 points) Overall quality:_______________(10 points) Part II Ability to find back door:___________(10 points) Approach, methodology, effort:________(10 points) Quality of report:_________________(20 points) Appropriateness of grade given to other project:______(3 points) If selected for presentation, may receive up to 5 extra credit points for good presentation.