1. Your security layer should produce no output!
2. Remember that filenames can only contain lowercase letters and numbers.
3. Your reference monitor should be named as reference_monitor_hl3475.r2py
4. For extra credit turn in a second repy file called extra_credit_hl3475.r2py
5. DO NOT put them together in a zip file. Upload them as separate files.
Attack Reference Monitors
● Goal: Better understand security mechanisms
● Task: Attack other students’ Assignment 2, Part 1 reference monitors
● Create multiple test cases, One test per issue
– Must output only when a bug is found
– Accuracy bug
– Security bug
– If your test is wrong, you will lose points!
– Refer to the instructions on the web
Find bugs in the extra credit reference monitors given the altered threat model. You should include
more test cases in the extra credit!
How to run your tests on many reference monitors:
If you are using Mac or Linux, you can do something like the following:
– Put all security layer and attack cases in the same directory you were using before to run
single security layer and attack program.
Then you can type the following in the bash shell to execute the testcases with the reference
for referencemonitor in reference_*; do for testcase in hl3475_*.r2py;
do python repy.py restrictions.default encasementlib.r2py $referencemo
nitor $testcase; done; done
What to turn in:
Turn in the test cases used to attack the reference monitors in a zip file. The name of
each testcase must start with your NetID (hl3475) in lowercase followed by an underscore. For
Optionally turn in the test cases used to attack the extra credit reference monitors in a
separate zip file. Note that in this case, you can expect that your code is run more than once.
In the name of the file, say if it needs to be run multiple times. For
openfile() and exitall() should not be used for the testcases
Fix your reference monitor (from Assignment 2 Part 1) so that none of the attack programs (test
cases) can bypass it. There should be no accuracy/security bugs. Also, if there are any other bugs in
the program that the test cases have not found, fix them too.
The test cases have been attached. If anybody’s test cases are missing, please inform
us immediately. I will start to run test cases against monitors soon, so please make sure your test
cases are present in the attachment.
Also, if you find any test cases which are meant for the extra credit reference monitors, you may
What to submit:
1. The corrected reference monitor (named reference_monitor_[netid].r2py)
2. Your security layer should produce no output!!