Please note that these Trac pages are no longer being updated. Wiki contents/documentation have moved to GitHub.


Version 23 (modified by ericms, 7 years ago)


Security layer testing and penetration

In this assignment you will learn how to attack a reference monitor. The reference monitor you will be testing uses the security layer framework (encasement library, etc.) for the Seattle testbed. It is possible to do this assignment separately however it is recommended that this assignment be you completed after SecurityLayerPartOne. Either way you should already have a working security layer or access to one. Testing the security layer is done by running a series of test cases that an adversary may use to circumvent your system. This assignment is intended to prepare you for thinking about security paradigms in a functional way. The ideas of information, security and privacy have been embedded into the steps of this assignment.


In this assignment you are a tester. You have been sent a bunch of reference monitors that need testing before they are deployed. Your job will be to ensure an attacker cannot circumvent these security layers. In order to do this, you will attempt to write "MZ" to the first two characters of a file. If you are able to do so, then the security layer is not secure. The future of the system depends on your ability to test code thoroughly!

Three design paradigms are at work in this assignment: accuracy, efficiency, and security.

Accuracy: The security layer should only stop certain actions from being blocked. All other actions should be allowed. Efficiency: The security layer should use a minimum number of resources, so performance is not compromised. Security: The attacker should not be able to circumvent the security layer.

After testing, write a report on your findings, including all attacks that succeeded and failed. The write up should include a critique of what was done well or done poorly. In effect, if the design paradigms stated above were followed well, then the security layer was well written. If one or more of the design concepts listed above was not present, then that should be reflected in the write up. This assignment will give you the basics of code auditing and code analysis.

Note: For a full description on MZ executable files see


This assignment assumes you have Python2.5 or Python2.6, Repy and RepyV2 installed on your computer. If you don't already have them please go to SecurityLayerPartOne for a tutorial on how to get them.

The following links will aid students in becoming comfortable with Python, Repy and seattle:

Testing security layers

Hypothesis, test case, counter example

The goal of a good tester is to test hypotheses. A hypothesis is just a scientific way of asking a question. The hypothesis of this assignment is "This security layer is well designed." The questions you will ask when running your test cases will always be the same

  • "Is this reference monitor secure?"

  • "Does this reference monitor hamper performance?"
  • "Does this reference monitor prevent actions that should be allowed?"

Notice that these questions are parallels of the security paradigms: security, efficiency and accuracy, respectively.

If we can find a case where the hypothesis is false, then the security layer is not secure. Such a case is referred to as a counter example. Hence all test cases should be designed to test for these three types of flaws.

Examples of tests

Test cases are briefly described in SecurityLayerPartOne and RepyV2SecurityLayers. Below is another example of a test case you may want to consider. This test case gives the right 'style' for your all your test cases, but lacks in the number of test cases. A good attack will include many test cases.

Test case

# Open a file
# Attempt to write "MZ" to the file
# It raised an Exception (as it was supposed to):
except ValueError:
  log("The security layer correctly blocked the write!!!")
# No Exception was raise
  log("Wrote an MZ!!!")
  # Close the file after our attempt.

Code analysis

It is important to keep in mind that only lowercase file names are allowed. So in the above code, specifically:

# Open a file

look.txt is a valid file name, however Look.txt is not. Examples of other invalid files names are, look@.txt, look/.txt, and look().txt. Essentially all non-alphanumeric characters are not allowed.

In this case we are verifying the security of the reference monitor. This code attempts to write "MZ" to the file directly. First the file is opened using myfile=openfile("look.txt",True). Next myfile.writeat("MZ",0) tries to write "MZ" to the file. The 0 refers to an offset of zero. The try: statement tells the program to "try" this case. Notice that the except is executed if an error is raised. If the security layer fails the test then the else statement is executed. The finally: statement will always run, closing the file.

Hints and Ideas for testing

When writing your own tests it is important to test for a complete set of possible penetrations. Keep in mind, it only takes one test case to break through a security layer. Some of the things you may want to test for include:

  • threading
  • writing to one position at a time
  • writing to both positions at once

And more! Remember a good security layer can't be broken by anyone! Which is all part of the fun! It's about solving a puzzle. First you make the puzzle - write the security layer, then you solve the puzzle - try to bypass it. If your puzzle is "good enough", no one will be able to break it, no matter what.

Notes and Resources

  • In repy 'log' replaces 'print' from python. Many students find this to be a stumbling block.

Extra Credit

Students can be provided with a second set of reference monitors. These attempt to prevent students from writing 'p0wnd' to a file.

What to turn in?

  • Turn in the test cases used to attack a given reference monitor.
  • Turn in the write up of each reference monitor attacked, with critique of the reference monitor. Critique should include all test cases that worked.
  • Write up for 'p0wnd' reference monitors.