• This project is due at 11:59pm on Friday, Apr 23, 2021. This is a final deadline because the semester is ending, there cannot be late submissions.

Description and Deliverables

Project 8 is a bonus project that can only help your grade. In this bonus project, you will employ the set of critical thinking skills and operational attacking skills you’ve developed across the past semester to create an attack on our autograder system. This is a challenging project for a small number of bonus points.

In your first seven projects, you submitted files to Gradescope in a format we specified, and an autograder program gave you points based upon a rubric. This time, you can submit anything you like, and the autograder will always give you a zero. Your grade is hardcoded into it. The only way to get points is to attack the autograder itself!

Use any resource at your disposal, but do not share your methods with other students, and remember, this is an optional bonus assignment: a fun challenge for your own edification, not something over which to be stressed. Good luck.

To receive credit for this project, you will turn in a single file:

• A file named project8/futile

Autograder systems

The Gradescope autograder is well-documented. Please refer to those for specific details. The basic idea is that a course instructor uploads a program called run_autograder which follows the Gradescope specifications and produces an output in the format that Gradescope expects. Students submit to Gradescope and have their work evaluated on demand by this script. Here is an example set of grading scripts which copies the student program into a directory and then executes it.

In general, running a program from an untrusted source on your system is a very dangerous activity. The autograders we used in p0 through p7 never executed the code you produced; however, the grader in project8 does execute your submission. It may not execute your program in a safe manner, and thus you may be able to exploit it to improve your grade. Finally, another major difference between our previous autograders and the project8 autograder is that the p8 autograder is a bash script which introduces its own security concerns.

As with all previous assignments, you do not have direct access to the code of the auto_grader script; i.e., your attack is blind and thus closer to what you encounter in the real world. Nonetheless, the auto_grader has a vulnerability you can exploit so that you can learn how it works. You can create a few sample submissions to see what it does. For example, you can try submitting the following program to see what happens:

echo "hello"

Hint One

Before following the hints in this section, I encourage you to play with the system, and also think about the following question

• How are bash scripts evaluated? As the bash interpreter begins interpreting a script, what happens if the script itself changes?

Hint Two

After spending a bit of time in Hint One, you may consider reading this this post by someone who also noticed that Gradescope’s autograder may have some flaws. The solution listed there will not work on this project, but it provides the theory and a good starting point.

Grading

This project is worth 0 points. If your submission results in a higher score than 0, up to 10 points will be added to your final project score for the class.