# A4
**Deadline:** Wednesday, 03/23/16, 11:59 pm
*This assignment may be done as individuals or with one partner.*
### Problem 1
*adapted from Prof. Jim Martin (Clemson University)*
Write a program whose purpose is automated review of a Linux system log.
The input to your program will be the file `/var/log/auth.log` from
Ubuntu Server 14.04 LTS (Trusty Tahr). Your program should process the
log to determine whether an attacker has attempted to login to an
account for which he is guessing the password. Then your program should
produce a single line of output that would be suitable to append to
`/var/log/syslog`—that is, the output should be consistent in format
and information with other entries in `syslog`. Somewhere in that line should
be either the string `"OK"` or `"INTRUSION"` to indicate your program's determination.
Hint: Here are some questions you need to address:
* What constitutes an attack?
* What evidence is recorded in `auth.log`?
* How can you parse `auth.log`?
* How can a program recognize an attack based on the evidence?
* What information should you put into `syslog`?
* How should you format that `syslog` entry?
**Server access:**
You can install a virtual machine running Ubuntu 14.04 by following these
instructions:
1. Install [VirtualBox][virtualbox].
2. Install [Vagrant][vagrant].
3. Run `vagrant init box-cutter/ubuntu1404-desktop`.
4. Run `vagrant up`.
The username and password are both `vagrant`.
[virtualbox]: https://www.virtualbox.org/wiki/Downloads
[vagrant]: https://www.vagrantup.com/downloads.html
**Implementation:**
You may use any programming or scripting language that can be installed
on the virtual machine you created according to the instructions above, as long
as that language can be installed by `apt-get`. For example, here are
some suitable choices:
* Python 3.4.3 and 2.7: already installed
* Perl 5: already installed
* Bash: already installed
* Java 7: `sudo apt-get install openjdk-7-jdk`
**Execution:**
Your program should accept the name of the file to be processed as
a command-line argument. Do not hardcode `/var/log/auth.log` as
that filename: the course staff needs to be able to test your program
on many log files—as do you!
**Documentation:**
Provide three pieces of documentation at the beginning of your program
source code in a (long) comment:
* *Installation:* If you use any packages installed by `apt-get`, then
you need to document at the beginning of your source code how the grader
can easily install those packages in their own virtual machine.
* *Execution:* Document the exact command the grader should type in the
virtual machine to run your program.
* *Design:* Provide an explanation of the design of your automated
review focusing on (i) what you consider to be an attack and (ii) how
your program recognizes attacks. Discuss false positives and false
negatives in light of points (i) and (ii). **Give serious thought**
to this explanation, because it will be a major component of how
the course staff evaluates your solution.
It should not take more than a couple minutes (excepting whatever time
`apt-get` itself consumes) for the grader to follow the installation and
execution instructions; if it does, your solution might be penalized.
**What to submit:** a source file named `authaudit` with whatever extension
is reasonable for the language you use.
### Problem 2
Your task in this problem is to design the logging system for an
automated teller machine (ATM), whose functional requirements are given below.
Your design should answer the following questions:
1. What log files will be kept, and where?
2. What is the format of an entry in a log file?
3. What are each of the possible entries that could be made into a file? Specify
the information contained in the entry and the conditions under which the entry
will be made.
You are permitted to propose modest hardware improvements to the ATM for the purpose
of logging.
**ATM functional requirements**
*(adapted from [Wang et al., *The formal design model of an automatic
teller machine (ATM)*, IJSSCI 2(1):102–131, Jan–Mar 2010]
and from Prof. Russell Bjork (Gordon University))*
An ATM comprises the following subsystems:
* a processor, which performs computation
* a magnetic card reader
* a keypad
* a monitor
* several bill storage canisters, one per denomination
* a bill disburser
* a thermal printer for customer receipts
* a system clock
* a slot through which customers can deposit envelopes
* a communication link to a bank-operated network
* a physical key-operated switch to enable an operator to start and stop the machine
The ATM provides service to customers only if the key-operated switch is
set to the "on" position. When an operator turns the switch to that position,
the operator is required to enter into the keypad the amount of cash in
each canister. (The denominations of the canisters are known to the machine.)
The switch can be turned to "off" only if there is no customer currently in
the midst of a series of transactions. When off, no customers will be served,
and the operator can remove deposit envelopes, reload the ATM with cash, and
replenish the paper for receipts.
The ATM will not provide service to customers unless the communication
link is active. If the link ever is inactive, the ATM cancels any
in-process transactions and refuses to begin any new transactions.
To receive service, a customer inserts their ATM card into the reader.
The ATM reads the magnetic stripe and returns the card to the customer.
The customer then enters a PIN on the keypad. The ATM authenticates the
card and PIN, which requires using the communication link to the bank.
* If authentication fails, the ATM re-prompts for the PIN. After three
incorrect attempts, the ATM communicates to the bank that the card
should be deactivated.
* If authentication succeeds, the bank retrieves a set of accounts
that are associated with the card. The customer can then perform a
series of transactions with those accounts, which continues until the
customer indicates they are finished or until the ATM detects that the
customer has failed to respond to an input prompt within a period of one
minute. At any point a customer may abort a transaction in process by
pressing a Cancel key on the keypad instead of entering the next input
requested by the ATM. If a transaction succeeds, the ATM prints a
receipt for the customer.
The following transactions are supported:
* **Withdraw** cash from an associated account in any denominations supported by the ATM.
If the ATM does not have sufficient cash available, it cancels the transaction.
Furthermore, the bank must authorize the debit of funds. The ATM does not
participate in that authorization decision.
* **Deposit** funds into an associated account. The customer places cash or checks in an
envelope and enters the amount of the deposit on the keypad. The bank
will later decide whether the claimed amount is consistent with the
funds available from the envelope and, if so, will credit the account.
The ATM does not participate in that decision.
* **Transfer** funds between associated accounts.
* **Query** the bank for the funds available in an associated account.
**What to submit:** a file named `atmlog.pdf` containing your design.
### Problem 3
*based on [Schneider, chapter 5, problem 5.3]*
You have been asked to determine the feasibility of conducting a
brute-force attack on a password. Your goal is to produce a dictionary
for use in an offline guessing attack. You don't know in advance the
passwords that you will need to crack, so you must build a full
dictionary.
1. How much time would it take to create a dictionary to crack
passwords under both of the following assumptions?
- Passwords are chosen from this supposed list of [leaked MySpace
passwords](myspace.txt) [source: www.skullsecurity.org].
- The stored form of password pwd is H(salt, pwd), where H is
SHA-512 and the salt is four bytes. (That's how OS X Lion stores
passwords.)
2. How much time would it take to create a dictionary to crack
passwords under both of the following assumptions?
- Passwords are chosen uniformly at random from the space of all 8
character or less passwords over the alphabet containing
lower-case letters and digits (i.e., a–z and 0–9).
- The stored form of password pwd is H(pwd), where H is SHA-512.
No salt is used.
3. Under what circumstances would you recommend the password selection and
storage regime in part (1)? Under what circumstances would you
recommend the regime in part (2)?
To answer the questions above, you will need to do some programming and
experimentation to measure how much time it takes to hash and store
passwords to a dictionary file. We expect you to report how you went
about this experimentation, including the kind of processor, machine,
OS, etc.
Your answers for problems 1 and 2 should be broken into three parts:
1. A formula for calculating the amount of time.
2. Your measurements.
3. A final time estimate constructed from the previous two parts,
**What to submit:** a file named `bruteforce.pdf` containing your answers to the
above questions. Include any relevant source code as an appendix to that document.
### Submission
If you work with a partner, first form a group on CMS; submit as that group,
rather than submitting the same solution independently.
Submit the files specified above to [CMS][cms].
For PDFs, use 10 point or larger type.
Be succinct; it's unlikely you will need to write more than a couple pages per problem.
[cms]: https://cms.csuglab.cornell.edu/
### Evaluation
You will be evaluated on the quality of your solutions and on your
adherence to the submission stipulations above. We'll use the following
criteria in evaluating quality:
- *Validity:* do you present a logical, lucid, coherent, clearly
focused, well structured, and appropriately detailed argument?
- *Consistency:* do you employ concepts, principles, and terminology
as they are used in this course?
- *Evidence:* do you adequately support your conclusions?
- *Writing:* do you use proper mechanics, grammar, and style?