Naccio Challenge - Rules

In the spirit of the contest, sucessful attacks must reveal a weakness in the Naccio/JavaVM design or implementation, or in the policy specification. Attacks that reveal flaws in the web server or general security weakness on the server machine do not win, and are not permitted (although we appreciate you brining them to our attention).

We appreciate you making your attacks as "harmless" as possible - it is sufficient to demonstrate that real harm could be inflicted if you so desired. Attackers who deliberately cause more harm than necessary will be uneligible for any prizes.

The messages returned by the server will reveal more information that the safety policy allows. For example, if you try to open a file "~evans/test", the safety policy may produce a violation message that reveals the home directory path. This is not a security flaw, since under normal circumstances the victim of an attack would not send back helpful messages to the attacker.

All transmitted classes are logged for future analysis. If you don't want us looking at your class, don't transmit it.

If you believe you have succeeded in exploiting a system weakness, send a message to evans@cs.virginia.edu. Winners will be expected to provide some useful information on how their attack works, and to provide a picture showing them enjoying (or wearing) their prize for the Naccio Attackers Hall of Fame.

Naccio Home Page
David Evans
University of Virginia, Computer Science