Top link

VirtualExam (vx)
Security considerations

  1. In the VX environment, the X display itself is locked down by VX, but the desktop and user environment of the host running the X server (i.e., the host in front of which the student sits the exam) must be additionally locked down to prevent the student running programs locally — for example a web browser or chat client. This lock down mode is beyond the scope of this article, but can perhaps be achieved by means of a restricted local user account and something akin to kiosk mode.
  2. Inside a VX environment instance, a student's UID/GID will their real UID + 900000. There are two reasons for this:
    • A chroot environment does not prevent the use of non-filesystem related interprocess communication such as shared memory and pipes. Thus, if a user were able to start a process on an exam backend server a priori, it would be less detectable by invigilators (because the process would show up with ps) and easier to communicate with by the student during the exam if their in-exam UID and real UID were the same.
    • TCP/IP network filters can be applied using iptables based on UID of the originator of the traffic. It is, thus, an easy matter to use iptables to create rules (in the OUTPUT chain) to limit all examees' network traffic simply by specifying an originator UID range of 900000+.
  3. The chroot directory structure (gaol) is created on the fly in /var/gaol/<student-zID> on the exam backed server when the student signs in. mount --bind (for directories) and hard links (for files) are used to import root-owned filesystem objects into the gaol.
    • These include /dev, /proc, directories containing system documentation, libraries, header files, etc.,
    • The contents of /etc are very selectively recreated, as required, in the gaol's /etc. Note that custom /etc/passwd and /etc/group files are created which reflect the special in-exam UID of the user/student,
    • The contents of any bin directory are not imported en masse using a mount --bind, but are selectively hard-linked in as required as part of the default deny strategy.
    • To a very, very large extent, what actually appears in the gaol filesystem is controlled by vx.conf configuration files. The main configuration file is in /home/virtualexam/etc. This is supplemented by the vx.conf file, if any, found in /home/<class-account>/etc. See vx.conf for the good oil on what can be in these files and how they're formatted.
  4. The VX configuration files only allow root-owned objects to be created in the gaol (otherwise a class account administrator might be able to create mayhem!).
  5. startup in user's home can do local/user configuration
  6. Students are authenticated using zID and zPass.
  7. Students can potentially use process command lines (viewable using ps) to exchange information during an exam. The /proc filesystem can be remounted with option hidepid=1 to hide users' process information from each other to remediate this weakness. There's also another option to which removes this restriction from a nominated group (e.g., "wheel") so members can monitor the students during the exam. See the Linux kernel's Documentation/filesystems/proc.txt.