# A4 **Deadline:** Wednesday, 03/23/16, 11:59 pm *This assignment may be done as individuals or with one partner.* ### Problem 1 *adapted from Prof. Jim Martin (Clemson University)* Write a program whose purpose is automated review of a Linux system log. The input to your program will be the file /var/log/auth.log from Ubuntu Server 14.04 LTS (Trusty Tahr). Your program should process the log to determine whether an attacker has attempted to login to an account for which he is guessing the password. Then your program should produce a single line of output that would be suitable to append to /var/log/syslog&mdash;that is, the output should be consistent in format and information with other entries in syslog. Somewhere in that line should be either the string "OK" or "INTRUSION" to indicate your program's determination. <i> Hint: Here are some questions you need to address: * What constitutes an attack? * What evidence is recorded in auth.log? * How can you parse auth.log? * How can a program recognize an attack based on the evidence? * What information should you put into syslog? * How should you format that syslog entry? </i> **Server access:** You can install a virtual machine running Ubuntu 14.04 by following these instructions: 1. Install [VirtualBox][virtualbox]. 2. Install [Vagrant][vagrant]. 3. Run vagrant init box-cutter/ubuntu1404-desktop. 4. Run vagrant up. The username and password are both vagrant. [virtualbox]: https://www.virtualbox.org/wiki/Downloads [vagrant]: https://www.vagrantup.com/downloads.html **Implementation:** You may use any programming or scripting language that can be installed on the virtual machine you created according to the instructions above, as long as that language can be installed by apt-get. For example, here are some suitable choices: * Python 3.4.3 and 2.7: already installed * Perl 5: already installed * Bash: already installed * Java 7: sudo apt-get install openjdk-7-jdk **Execution:** Your program should accept the name of the file to be processed as a command-line argument. Do not hardcode /var/log/auth.log as that filename: the course staff needs to be able to test your program on many log files&mdash;as do you! **Documentation:** Provide three pieces of documentation at the beginning of your program source code in a (long) comment: * *Installation:* If you use any packages installed by apt-get, then you need to document at the beginning of your source code how the grader can easily install those packages in their own virtual machine. * *Execution:* Document the exact command the grader should type in the virtual machine to run your program. * *Design:* Provide an explanation of the design of your automated review focusing on (i) what you consider to be an attack and (ii) how your program recognizes attacks. Discuss false positives and false negatives in light of points (i) and (ii). **Give serious thought** to this explanation, because it will be a major component of how the course staff evaluates your solution. It should not take more than a couple minutes (excepting whatever time apt-get itself consumes) for the grader to follow the installation and execution instructions; if it does, your solution might be penalized. **What to submit:** a source file named authaudit with whatever extension is reasonable for the language you use. ### Problem 2 Your task in this problem is to design the logging system for an automated teller machine (ATM), whose functional requirements are given below. Your design should answer the following questions: 1. What log files will be kept, and where? 2. What is the format of an entry in a log file? 3. What are each of the possible entries that could be made into a file? Specify the information contained in the entry and the conditions under which the entry will be made. You are permitted to propose modest hardware improvements to the ATM for the purpose of logging. **ATM functional requirements** *(adapted from [Wang et al., *The formal design model of an automatic teller machine (ATM)*, IJSSCI 2(1):102&ndash;131, Jan&ndash;Mar 2010] and from Prof. Russell Bjork (Gordon University))* An ATM comprises the following subsystems: * a processor, which performs computation * a magnetic card reader * a keypad * a monitor * several bill storage canisters, one per denomination * a bill disburser * a thermal printer for customer receipts * a system clock * a slot through which customers can deposit envelopes * a communication link to a bank-operated network * a physical key-operated switch to enable an operator to start and stop the machine The ATM provides service to customers only if the key-operated switch is set to the "on" position. When an operator turns the switch to that position, the operator is required to enter into the keypad the amount of cash in each canister. (The denominations of the canisters are known to the machine.) The switch can be turned to "off" only if there is no customer currently in the midst of a series of transactions. When off, no customers will be served, and the operator can remove deposit envelopes, reload the ATM with cash, and replenish the paper for receipts. The ATM will not provide service to customers unless the communication link is active. If the link ever is inactive, the ATM cancels any in-process transactions and refuses to begin any new transactions. To receive service, a customer inserts their ATM card into the reader. The ATM reads the magnetic stripe and returns the card to the customer. The customer then enters a PIN on the keypad. The ATM authenticates the card and PIN, which requires using the communication link to the bank. * If authentication fails, the ATM re-prompts for the PIN. After three incorrect attempts, the ATM communicates to the bank that the card should be deactivated. * If authentication succeeds, the bank retrieves a set of accounts that are associated with the card. The customer can then perform a series of transactions with those accounts, which continues until the customer indicates they are finished or until the ATM detects that the customer has failed to respond to an input prompt within a period of one minute. At any point a customer may abort a transaction in process by pressing a Cancel key on the keypad instead of entering the next input requested by the ATM. If a transaction succeeds, the ATM prints a receipt for the customer. The following transactions are supported: * **Withdraw** cash from an associated account in any denominations supported by the ATM. If the ATM does not have sufficient cash available, it cancels the transaction. Furthermore, the bank must authorize the debit of funds. The ATM does not participate in that authorization decision. * **Deposit** funds into an associated account. The customer places cash or checks in an envelope and enters the amount of the deposit on the keypad. The bank will later decide whether the claimed amount is consistent with the funds available from the envelope and, if so, will credit the account. The ATM does not participate in that decision. * **Transfer** funds between associated accounts. * **Query** the bank for the funds available in an associated account. **What to submit:** a file named atmlog.pdf containing your design. ### Problem 3 *based on [Schneider, chapter 5, problem 5.3]* You have been asked to determine the feasibility of conducting a brute-force attack on a password. Your goal is to produce a dictionary for use in an offline guessing attack. You don't know in advance the passwords that you will need to crack, so you must build a full dictionary. 1. How much time would it take to create a dictionary to crack passwords under both of the following assumptions? - Passwords are chosen from this supposed list of [leaked MySpace passwords](myspace.txt) [source: www.skullsecurity.org]. - The stored form of password pwd is H(salt, pwd), where H is SHA-512 and the salt is four bytes. (That's how OS X Lion stores passwords.) 2. How much time would it take to create a dictionary to crack passwords under both of the following assumptions? - Passwords are chosen uniformly at random from the space of all 8 character or less passwords over the alphabet containing lower-case letters and digits (i.e., a&ndash;z and 0&ndash;9). - The stored form of password pwd is H(pwd), where H is SHA-512. No salt is used. 3. Under what circumstances would you recommend the password selection and storage regime in part (1)? Under what circumstances would you recommend the regime in part (2)? To answer the questions above, you will need to do some programming and experimentation to measure how much time it takes to hash and store passwords to a dictionary file. We expect you to report how you went about this experimentation, including the kind of processor, machine, OS, etc. Your answers for problems 1 and 2 should be broken into three parts: 1. A formula for calculating the amount of time. 2. Your measurements. 3. A final time estimate constructed from the previous two parts, **What to submit:** a file named bruteforce.pdf containing your answers to the above questions. Include any relevant source code as an appendix to that document. ### Submission If you work with a partner, first form a group on CMS; submit as that group, rather than submitting the same solution independently. Submit the files specified above to [CMS][cms]. For PDFs, use 10 point or larger type. Be succinct; it's unlikely you will need to write more than a couple pages per problem. [cms]: https://cms.csuglab.cornell.edu/ ### Evaluation You will be evaluated on the quality of your solutions and on your adherence to the submission stipulations above. We'll use the following criteria in evaluating quality: - *Validity:* do you present a logical, lucid, coherent, clearly focused, well structured, and appropriately detailed argument? - *Consistency:* do you employ concepts, principles, and terminology as they are used in this course? - *Evidence:* do you adequately support your conclusions? - *Writing:* do you use proper mechanics, grammar, and style?