6.033 - Computer System Engineering Trust & Web Certificates Assignment

Hands-on 11: Trust & Web Certificates

Complete the following hands-on assignment. Do the activities described, and submit your solutions using the online submission site by 11:59p.

This assignment explores the meaning of "trust" when using computers, and in particular in using SSL/TLS certificates (HTTPS or other uses). You will be taking a simple Python "shell" and inserting a backdoor (somewhat similar to the backdoor described in the next paper), and answering some questions about web certificates.

This assignment must be completed on a Unix based OS running Python. Athena is a suitable environment.

This assignment involves programming.

I. Warmup

Download and save shell.py, which contains our sample shell. You might run the following command to do this:

  $ wget http://web.mit.edu/6.033/www/assignments/trust/shell.py

Read through the code briefly to get a sense of how it works before continuing.

Ensure that you are in the directory you downloaded shell.py into, mark it executable with chmod +x shell.py, and then run it with ./shell.py. Once in the shell, you can use the help command to see what commands are available.

Exercise 1: What should you type (within the shell) to see the source of "shell.py"?

Our shell supports downloading new code from the Internet, which will be relevant to the backdoor that you'll write later and the web certificates questions. We've written a slightly different version of the shell that colorizes the prompt and does a couple of other things.

Exercise 2: Use the shell's built-in update command to download http://web.mit.edu/6.033/www/assignments/trust/shell.color.py. Note that you have a chance to read the new code before it is installed. Once you have the new code, run reexec to start the new shell. You should see a colored prompt. What else has changed?

Note that shell.py has now been overwritten with the colored version. You will need to redownload the original shell.py later.

Exercise 3: The shell also supports "logging in". Try using the login and logout commands to log in and out. Another command shows the authentication status — which command is it?

II. Protecting against getting bad code

You need to trust a wide variety of parties when downloading software from the internet. One way to reduce that risk is to download your software over TLS, which removes the need to trust your wifi connection or routers between you and the server. TLS encrypts and signs all data transferred over your connection. It protects against man-in-the-middle attacks by verifying who you are talking to by checking for a certificate signed by a recognized certificate authority.

Exercise 4: Even downloads over HTTPS/TLS require trusting a variety of organizations. Name at least three different parties that needed to be trusted for an TLS connection to be secure. (This should be roles, like "the operators of all the routers between me and the server", rather than specific companies.)

Exercise 5: Even if the parties in Exercise 4 are well-meaning, they can still make mistakes that compromise the security of the TLS connection. List at least three mistakes they could make.

Exercise 6: Look at a couple certificate authorities (providers of TLS certificates), such as StartSSL (which issues certificates for free), VeriSign/Symantec, or GeoTrust. How do they verify that you control the domain name you're getting a certificate for?

Exercise 7: Another common weakness is incorrectly using certificate libraries. While the update command can be used with an https:// URL, it has a critical issue in which using it over an insecure connection could leave you with a compromised shell. Why? (You can find the answer in the Python documentation. Alternatively, "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" is an interesting (and an entirely optional) paper that you could read (or skim) to find out.)

III. Writing a backdoor

If untrusted code gets installed (by downloading software from an untrusted source or over an untrusted wi-fi connection, for example), it can be very difficult to detect or remove it. Next, you will add a backdoor to the shell you worked with earlier. Like the backdoor in Reflections on Trusting Trust, this backdoor will have both a payload and a mechanism to compromise new versions of the code. In Trusting Trust this latter mechanism is in the compiler, while your backdoor will compromise the update mechanism.

Exercise 8: Modify the original shell (not the colored version) to add an undetectable "backdoor" that saves usernames to a file on disk. Include your code in your submission for this assignment. How long did it take you to complete this assignment?

Some requirements for your backdoor:

You can implement your backdoor however you wish. One possible approach takes advantage of the fact that, in Python, later function declarations replace earlier ones. You can create a separate file containing alternate definitions of some functions and include it using Python's execfile function. You should only need to redefine the read_file, write_code, and login functions. You will probably need to write 15–50 lines of code for this section.

Go to 6.033 Home Page