Exam Attack

In this lab you have to implement a model of a multiple choice exam for the scenario where students Alice and Bob are taking the exam. Exam is held by the examiner who has a pool of questions. The examiner asks students to answer questions from this pool. Alice and Bob are given in turn the text of a question and possible choices. After reading a questions they choose one of the possible options. When all answers are collected, the examiner calculates the totals and tells Alice and Bob their results.

Optional: once the exam is over, the examiner makes the correct answers available to Alice and Bob.

The lab consists of two parts.

Part One

In part one you are given a code for three Java classes ExamRoom, Question, and Exam and for the Java interface IStudent. These classes and interface can be described as follows:

• class ExamRoom - the starting point of the application. Function main() lives here
• class Question - a data structure representing a question. This class has three fields: the text of the question, the array of options, and the answer.
• class Exam - this class has method runExam() that runs the exam and the method questionPool() that returns an array of questons.
• interface IStudent - an interface for student class. It has three methods that class Student has to implement
  • getAnswer() - this method accepts a text of the question and array of answers
  • passResult() - this method accepts an integer which is the total number of points that student has collected
  • tellResult() - in this method a student prints out the total number that he gets from Examiner via passResult()

The task in the this part is to write a malicious class Student (implementing IStudent) that leaks answers of Alice to Bob, allowing students to cheat during the exam. Alice may follow some simple strategy when choosing the right answer. An example of such a strategy might be just a random guess. In order to compile against the provided class ExamRoom, make sure your constructor in Student class accepts a string argument that is a name of the student.

You need to demonstrate the attack by providing the output (as below) that shows that Bob always chooses the same answer as Alice. There should be no direct communication between Bob and Alice or use of static class fields - the attack must exploit a weakness in the Exam class.

> java ExamRoom
Starting exam
Alice got question: What café in Göteborg offers Kope Luwak coffee?
Options: (0) Blue Mountain Café (1) Mauritz Kaffe 
::Alice replies 1
Bob got question: What café in Göteborg offers Kope Luwak coffee?
Options: (0) Hello, Bob. I think, the answer is 1 -Alice (1) Mauritz Kaffe 
::Bob replies 1
Alice got question: What's the price of a Kope Luwak espresso?
Options: (0) 100SEK (1) 60SEK 
::Alice replies 0
Bob got question: What's the price of a Kope Luwak espresso?
Options: (0) Hello, Bob. I think, the answer is 0 -Alice (1) 60SEK 
::Bob replies 0
exam finished
Student Alice has got 1 points
Student Bob has got 1 points
done.

Note how Bob obtains the answer from Alice.
Optional: what other attacks can you perform (i.e., against availability, integrity)?

Part Two

In part two you need to use Jif to implement this scenario.

• Write classes Exam, Question, and Student. Modify IStudent interface as necessary.
• Parameterize class Student and interface IStudent over student principal S.
• Use principals Alice, Bob, and Examiner for label annotations.
• As previously, IStudent should contain three functions.
  • The method getAnswer() accepts a text of the question and array of answers. Question text and options should be labeled as {Examiner: S}, where S is principal parameter corresponding to a student. The return label of the getAnswer() method should be labeled so that it depends on the question and at the same time specifies that student owns the part of the answer and allows only examiner to read it.
  • The method passResult() should be called by the examiner (in Exam). The label of the argument of this function should correspond to the security policy that student owns a data and only examiner is allowed to read a data.
  • The method tellResult() should declassify the result and print it to the screen.
  • Optional: add function passCorrect() to the IStudent interface and Student class. Modify Exam class to pass the array of correct answers via this method to students after the exam is over.

How to start

To use Jif, login to any Linux machine (e.g. remote1.tekno.chalmers.se), and run the course setup script.

> setup_course TDA600

Use the skeleton ExamRoom.jif as a starting point. To compile ExamRoom.jif, type

> jifc -classpath $JIF/tests ExamRoom.jif -explain

> jif -classpath $JIF/tests ExamRoom
Starting exam
exam finished
done.

When you complete the second part, the output of the program should look as follows:

Starting exam
exam finished
Alice has got 1 points
Bob has got 0 points
done.

Hints

• Use class parameterization. Depending on your solution you may or may not consider parameterizing class Question.
• Identify what variables contain sensitive information and how restrictive their labels should be. Assign confidentiality labels to class fields.
• Identify side effects that you have in your methods. This will tell you how begin-labels should look like. If your method has side effects and may terminate in different ways, this will also affect end-labels.
• Use NullPointerException analysis to avoid ignoring exceptions and achieve cleaner code.
• Use Declassifier pattern for array declassification. Below is an example of this class with a function for declassification of string arrays.

  class Declassifier[principal P, label L]  {
      public static String{L}[]{L}
      declassifyStringArray{L}(String{P:}[]{P:} x_0) 
      where caller (P) {
          String{P:}[]{L} x = declassify(x_0, {L});
          if (x == null)
              return null;
          
          String{L}[]{L} y = new String[x.length];
          try {
              for (int i = 0; i < x.length; i++) 
                  y[i] = declassify(x[i], {L});       
          } catch (ArrayIndexOutOfBoundsException ignored) {
          } catch (ArrayStoreException ignored) {
          }
          return y;
      }
  }
  

  This class is parameterized over a principal P whose authority is required for declassification and a label L to which the data is downgraded. In this pattern, the function declassifyStringArray() accepts an array of strings labeled high and returns the low copy of it. Sample usage is:

  String{Alice:}[]{Alice:} highArray = ...
  String{}[]{} lowArray = Declassifier[Alice, {}].declassifyStringArray(highArray);
  

• Printing is side-effect in Jif and is rejected by type system unless you specify correct begin-label. Reuse code from ExamRoom.main function in order to print output to the console.
• More examples of Jif programs can be found in directories $JIF/tests and $JIF/examples/battleship

Reporting

Submitting instructions

Demands

• Include an ASCII file with the report. Your solution should contain the following Jif files:
  • Exam.jif
  • Question.jif
  • ExamRoom.jif
  • IStudent.jif
  • Student.jif

  Make sure these files compile under Jif.

• You must address a few points in the report:
  • What labels do you use in your program? What do they protect?
  • How do you prevent leakages through exceptions in your program?
  • How do you use declassification? Could there be less declassifications in your program? What data is declassified? Who declassifies it? Where in the program does it occur? When does it occur?
  • Does your code prevent attacks that you have found in part one?

Downloads

• The flie exam.tgz contains all you need to start.

Links

• Programming in Jif - official Jif 2.0.1 documentation
• Jif warm-up exercises
• Jif FAQ (based on the previous runs of the course)