Breaking My Security Assignments
14 comments
·June 12, 2025red_admiral
I feel if you solve a security assignment by hacking the system, YOU'RE DOING IT RIGHT. I hope you get a first-class mark for this.
Also, https://xkcd.com/2385/
dmurray
It's important that he's hacking a system developed by (presumably) his lecturer or professor, not by the university's IT department.
The professor hopefully has an interest in actual security research and some level of intellectual curiosity in general. The IT department is more likely to run on security by checklist and certification, and much more likely to throw the student under the bus of some Academic Misconduct Committee.
red_admiral
It's a locally run VM, so I doubt IT even knows what's in there and wouldn't notice what you're doing with it. How do you know if a student mounts the disk of a VM locally that they've already downloaded to their laptop?
The goal of the assignment is to exploit something anyway, just not necessarily this way. And she got her professor's consent to publish the article.
It seems the system was moved to the cloud in later years with ssh-only access. Exploiting something inside the VM should be fine and maybe a feature for some assignments - probably one reason it's a VM in the first place. It's not like anyone's hacking the university network.
Since there's mention of `@bham.ac.uk` - I forget if it was Birmingham or Brighton or someone else, but the way things work in GB is teachers submit "unreleased" grades after marking their exams, an exam board approves or fiddles with these grades, and then the grades for all students on a course are released together on "results day". A CS student got in trouble somewhere because they passed around the info that you could see unreleased grades in the "learning mangement system" by selecting "view source" and looking for the "display:none" entries in a table or something like that.
dmurray
Great post and great attitude. Little bit of a mixed message from this:
> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
> This isn't going to save me any time - I still need to do the assignments because they're assignments for a University module, which is supposed to teach me things. If I don't do the assignments and effectively cheat by submitting tokens I recover this way, I personally will suffer and not know what I'm doing in enough detail when it comes to the final exam and just generally will lack this knowledge that might be useful in future.
Which is it? This introduction to security module couldn't possibly have anything to teach someone who already has this level of ability, or it could?
saghm
To me, the first paragraph you quoted seems to be describing the modules themselves in the abstract, whereas the latter is about the university testing environment. There are plenty of things that I could do given ample time and the ability to look things up but would struggle to answer detailed questions about in a timed context without any notes or access to the internet. l think it's a fairly well-established concept that actively restating something you already know helps with recall later, like how the act of writing notes is considered to be useful even independent of studying them later. In the outside world, if you already know these concepts, you'll be able to refresh yourself about them easily enough whenever you end up needing to use them, but when you're getting tested in school, you need to do the refresher beforehand, and going through the exercises as they're intended is a pretty reasonable way to do that.
pastage
When you do problems from books, you do them to get faster and to discover edge cases and that is where you learn stuff. Being able to mount a disk image is a good thing to know how to do in security research, but it is not enough.
I do not know how these exercise were made but it sounds like in the beginning they had a central server for tests probably not security things and then someone just moved that software to VMs to let the students be more flexible.
glitchc
You may be right, of course. However, it's worth noting that switching to VMs changed the security posture of the exercise and it's not an encouraging sign that the cybersecurity faculty did not pick up on it.
Oleksii1n
I still don't understand why they must compile assignments' source code on your instance. Why can't assignments be pre-compiled and shared as binary to prevent open code data?
saghm
I don't think they did need to; the author mentioned this in one of the footnotes:
> I'm a little surprised that the source code was included as opposed to precompiled .class files to further obfuscate what's going on, but then again by this point, with the GPG encryption and all, I don't imagine the module team was focused on preventing me from meddling around as much as they were focused on getting a module out of the door
curtisszmania
[dead]
Kudos for breaking the environment in a security course.
> This entire attack was possible because I have the VM's disk image right here on my computer and I can do absolutely whatever I want to it, such as overriding its access control settings.
This is the key insight. Protecting via VMs and obfuscations does not provide security equivalent to network boundaries and hardware protections. While the encryption step may have helped, it was self-defeating as the key was stored on the VM and the VM was in your control. It would have been much harder (perhaps impossible) to crack if the unique key was ephemerally sourced from a server prior to every decryption coupled with some end state from the exercise.
> Within the aims of the module this is fine - this is an introuction to security module so if you can exploit it like this, you're not really the target audience and you've already achieved the aims of the module.
Yes, it's clear to me that the course has little left to teach you. At this point I would just submit the generated tokens for every assignment and read more complex material. I say this as an academic and a cybersecurity expert.