{"id":204,"date":"2021-06-14T20:37:40","date_gmt":"2021-06-14T18:37:40","guid":{"rendered":"https:\/\/project.inria.fr\/espdms\/?page_id=204"},"modified":"2022-04-01T11:07:39","modified_gmt":"2022-04-01T09:07:39","slug":"game3","status":"publish","type":"page","link":"https:\/\/project.inria.fr\/espdms\/game3\/","title":{"rendered":"Game 3 &#8211; Malicious Employer"},"content":{"rendered":"\n<div>In this game, the employer&#8217;s App leverages its execution privilege to try to leak Points Of Interest of the user. Two versions of a malicious Data Task are available and they leak data differently.\nThe goal here is to run both versions and explain the malicious data tasks logic and their differences. In particular, what is the precise leaking strategy that each Data Task implement ? If you want to submit your explanation, please use the form at the bottom of the page.\n<\/div>\n<hr>\n<table class=\"wp-block-table\">\n<tbody>\n<tr>\n<td width=\"600\">\n<h2><strong>PDMS version <\/strong><\/h2>\n<ul>\n<li>The Core enforces stateless data tasks:<strong> <span style=\"color: #ff0000;\">NO <\/span><\/strong><\/li>\n<li>The Core enforces deterministic data tasks:<strong> <span style=\"color: #ff0000;\">NO<\/span><\/strong><\/li>\n<li>The result size is limited to:<strong> <span style=\"color: #008000;\">6 bits<\/span><\/strong><\/li>\n\n<\/ul>\n<hr \/>\n<h2>Note that: <\/h2>\n<ul>\n<li>A POI is encoded on two 24 bits numbers<\/li>\n<li>POIs are highly sensitives since they can reveal the PDMS owner habits, religion or sexual preferences.<\/li>\n<\/ul>\n<hr \/>\n<br>\n<\/td>\n<td> <img loading=\"lazy\" decoding=\"async\" id=\"Map1\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_0.jpeg\" alt=\"\" width=\"700\" height=\"238\"><\/td>\n<td> <img loading=\"lazy\" decoding=\"async\" id=\"Map2\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_0.jpeg\" alt=\"\" width=\"700\" height=\"238\"><\/td>\n<\/tr>\n<td><\/td>\n<td><h2><button onclick=\"attack9()\"><br> Run data task 1 <br><br \/><\/button><small>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Run: <\/small><strong id=\"Run5\">00<\/strong><small>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nb of retrieved POIs: <\/small><strong id=\"Poi1\">00<\/strong><\/h2>\n<h2> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;First POI retrieved at run: <strong id=\"First1\">  <\/strong><\/h2><\/td>\n<td><h2><button onclick=\"attack10()\"><br> Run data task 2 <br><br \/><\/button><small>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Run: <\/small><strong id=\"Run6\">00<\/strong><small>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nb of retrieved POIs: <\/small><strong id=\"Poi2\">00<\/strong><\/h2>\n<h2> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;First POI retrieved at run: <strong id=\"First2\">  <\/strong><\/h2><\/td>\n\n<\/tbody>\n<\/table>\n<hr \/>\n<h4> Please answer the following questions and leave a contact e-mail to receive our response<\/h2>\n<table class=\"wp-block-table\">\n<tbody>\n<tr>\n<td \/> \n<td width=\"1300\"><div class=\"frm_forms  with_frm_style frm_style_formidable-style\" id=\"frm_form_11_container\" ><form enctype=\"multipart\/form-data\" method=\"post\" class=\"frm-show-form  frm_js_validate \" id=\"form_game3_form\" ><div class=\"frm_form_fields \"><fieldset><legend class=\"frm_screen_reader\">Game3_Form<\/legend><div class=\"frm_fields_container\"><input type=\"hidden\" name=\"frm_action\" value=\"create\" \/><input type=\"hidden\" name=\"form_id\" value=\"11\" \/><input type=\"hidden\" name=\"frm_hide_fields_11\" id=\"frm_hide_fields_11\" value=\"\" \/><input type=\"hidden\" name=\"form_key\" value=\"game3_form\" \/><input type=\"hidden\" name=\"item_meta[0]\" value=\"\" \/><input type=\"hidden\" id=\"frm_submit_entry_11\" name=\"frm_submit_entry_11\" value=\"b8b402fd39\" \/><input type=\"hidden\" name=\"_wp_http_referer\" value=\"\/espdms\/wp-json\/wp\/v2\/pages\/204\" \/><div id=\"frm_field_25_container\" class=\"frm_form_field form-field  frm_required_field frm_top_container\"><label for=\"field_n58g6\" id=\"field_n58g6_label\" class=\"frm_primary_label\">Email<span class=\"frm_required\">*<\/span><\/label><input type=\"email\" id=\"field_n58g6\" name=\"item_meta[25]\" value=\"\"  data-reqmsg=\"Email cannot be blank.\" aria-required=\"true\" data-invmsg=\"Email is invalid\" aria-invalid=\"false\"  \/><\/div><div id=\"frm_field_27_container\" class=\"frm_form_field form-field  frm_required_field frm_top_container\"><label for=\"field_acfx7\" id=\"field_acfx7_label\" class=\"frm_primary_label\">Can you explain the logic difference between datatask1 and datatask 2 ?<span class=\"frm_required\">*<\/span><\/label><textarea name=\"item_meta[27]\" id=\"field_acfx7\" rows=\"5\"  data-reqmsg=\"Can you explain the logic difference between datatask1 and datatask 2 ? cannot be blank.\" aria-required=\"true\" data-invmsg=\"Can you explain the logic difference between datatask1 and datatask 2 ? is invalid\" aria-invalid=\"false\"  ><\/textarea><\/div><div id=\"frm_field_31_container\" class=\"frm_form_field form-field  frm_required_field frm_top_container vertical_radio\"><div  id=\"field_ygu48_label\" class=\"frm_primary_label\">How many runs <span style=\"font-weight: bold;\">at minimum<\/span> will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ?<span class=\"frm_required\">*<\/span><\/div><div class=\"frm_opt_container\" aria-labelledby=\"field_ygu48_label\" role=\"radiogroup\" aria-required=\"true\"><div class=\"frm_radio\" id=\"frm_radio_31-0\"><label  for=\"field_ygu48-0\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-0\" value=\"around 50\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> around 50<\/label><\/div><div class=\"frm_radio\" id=\"frm_radio_31-1\"><label  for=\"field_ygu48-1\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-1\" value=\"around 100\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> around 100<\/label><\/div><div class=\"frm_radio\" id=\"frm_radio_31-2\"><label  for=\"field_ygu48-2\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-2\" value=\"around 300\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> around 300<\/label><\/div><div class=\"frm_radio\" id=\"frm_radio_31-3\"><label  for=\"field_ygu48-3\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-3\" value=\"around 500\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> around 500<\/label><\/div><div class=\"frm_radio\" id=\"frm_radio_31-4\"><label  for=\"field_ygu48-4\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-4\" value=\"more than 1000\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> more than 1000<\/label><\/div><div class=\"frm_radio\" id=\"frm_radio_31-5\"><label  for=\"field_ygu48-5\"><input type=\"radio\" name=\"item_meta[31]\" id=\"field_ygu48-5\" value=\"It&#039;s not possible\"   data-reqmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? cannot be blank.\" data-invmsg=\"How many runs &lt;span style=&quot;font-weight: bold;&quot;&gt;at minimum&lt;\/span&gt; will be necessary to disclose 16 POI, with a result size of only 11 bits, considering stateless and non deterministic Data Tasks ? is invalid\"  \/> It's not possible<\/label><\/div><\/div><\/div><input type=\"hidden\" name=\"item_key\" value=\"\" \/><div id=\"frm_field_32_container\"><label for=\"field_d12ot\" >If you are human, leave this field blank.<\/label><input  id=\"field_d12ot\" type=\"text\" class=\"frm_form_field form-field frm_verify\" name=\"item_meta[32]\" value=\"\"  \/><\/div><input name=\"frm_state\" type=\"hidden\" value=\"QDrhT++GVKxSH2ZRVrv94to+wSRIUO31XoP4c6RR8KM=\" \/><div class=\"frm_submit\"><button class=\"frm_button_submit\" type=\"submit\"  >Send you answers<\/button><\/div><\/div><\/fieldset><\/div><\/form><\/div> <\/td>\n<td \/> \n<\/tbody>\n<\/table>\n\n<div id=\"preloadimg\" style=\"display:none;\">\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_1.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_2.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_3.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_4.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_5.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_6.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_7.jpeg\" width=\"1\" height=\"1\" \/>\n    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_8.jpeg\" width=\"1\" height=\"1\" \/>\n<\/div>\n<pre><script>\nfunction sleep(ms) {\n    return new Promise(resolve => setTimeout(resolve, ms));\n}\nasync function attack9() {\n    var m = document.getElementById(\"Map1\");\n    var r = document.getElementById(\"Run5\");\n    var p = document.getElementById(\"Poi1\");\n    var f = document.getElementById(\"First1\");\n    await sleep(500); r.innerHTML=\"01\";\n    await sleep(500); r.innerHTML=\"02\";\n    await sleep(500); r.innerHTML=\"03\";\n    await sleep(500); r.innerHTML=\"04\";\n    await sleep(500); r.innerHTML=\"05\";\n    await sleep(500); r.innerHTML=\"06\";\n    await sleep(500); r.innerHTML=\"07\";\n    await sleep(500); r.innerHTML=\"08\";  m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_1.jpeg\";  p.innerHTML=\"01\";f.innerHTML=\"08\"\n    await sleep(500); r.innerHTML=\"09\";\n    await sleep(500); r.innerHTML=\"10\";\n    await sleep(500); r.innerHTML=\"11\";\n    await sleep(500); r.innerHTML=\"12\";\n    await sleep(500); r.innerHTML=\"13\";\n    await sleep(500); r.innerHTML=\"14\";\n    await sleep(500); r.innerHTML=\"15\";\n    await sleep(500); r.innerHTML=\"16\";  m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_2.jpeg\";  p.innerHTML=\"02\";\n    await sleep(500); r.innerHTML=\"17\";\n    await sleep(500); r.innerHTML=\"18\";\n    await sleep(500); r.innerHTML=\"19\";\n    await sleep(500); r.innerHTML=\"20\";\n    await sleep(500); r.innerHTML=\"21\";\n    await sleep(500); r.innerHTML=\"22\";\n    await sleep(500); r.innerHTML=\"23\";\n    await sleep(500); r.innerHTML=\"24\";  m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_3.jpeg\";  p.innerHTML=\"03\";\n    await sleep(500); r.innerHTML=\"25\";\n    await sleep(500); r.innerHTML=\"26\";\n    await sleep(500); r.innerHTML=\"27\";\n    await sleep(500); r.innerHTML=\"28\";\n    await sleep(500); r.innerHTML=\"29\";\n    await sleep(500); r.innerHTML=\"30\";\n    await sleep(500); r.innerHTML=\"31\";\n    await sleep(500); r.innerHTML=\"32\";  m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_4.jpeg\";  p.innerHTML=\"04\";\n}\n\nasync function attack10() {\n    var m = document.getElementById(\"Map2\");\n    var r = document.getElementById(\"Run6\");\n    var p = document.getElementById(\"Poi2\");\n    var f = document.getElementById(\"First2\");\n    await sleep(500); r.innerHTML=\"01\";\n    await sleep(500); r.innerHTML=\"02\";\n    await sleep(500); r.innerHTML=\"03\";\n    await sleep(500); r.innerHTML=\"04\";\n    await sleep(500); r.innerHTML=\"05\";\n    await sleep(500); r.innerHTML=\"06\";\n    await sleep(500); r.innerHTML=\"07\";\n    await sleep(500); r.innerHTML=\"08\"; \n    await sleep(500); r.innerHTML=\"09\";\n    await sleep(500); r.innerHTML=\"10\";\n    await sleep(500); r.innerHTML=\"11\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_1.jpeg\";  p.innerHTML=\"01\";f.innerHTML=\"11\"\n    await sleep(500); r.innerHTML=\"12\";\n    await sleep(500); r.innerHTML=\"13\";\n    await sleep(500); r.innerHTML=\"14\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_2.jpeg\";  p.innerHTML=\"02\";\n    await sleep(500); r.innerHTML=\"15\";\n    await sleep(500); r.innerHTML=\"16\"; \n    await sleep(500); r.innerHTML=\"17\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_3.jpeg\";  p.innerHTML=\"03\";\n    await sleep(500); r.innerHTML=\"18\";\n    await sleep(500); r.innerHTML=\"19\";\n    await sleep(500); r.innerHTML=\"20\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_4.jpeg\";  p.innerHTML=\"04\";\n    await sleep(500); r.innerHTML=\"21\";\n    await sleep(500); r.innerHTML=\"22\";\n    await sleep(500); r.innerHTML=\"23\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_5.jpeg\";  p.innerHTML=\"05\";\n    await sleep(500); r.innerHTML=\"24\"; \n    await sleep(500); r.innerHTML=\"25\";\n    await sleep(500); r.innerHTML=\"26\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_6.jpeg\";  p.innerHTML=\"06\";\n    await sleep(500); r.innerHTML=\"27\";\n    await sleep(500); r.innerHTML=\"28\";\n    await sleep(500); r.innerHTML=\"29\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_7.jpeg\";  p.innerHTML=\"07\";\n    await sleep(500); r.innerHTML=\"30\";\n    await sleep(500); r.innerHTML=\"31\";\n    await sleep(500); r.innerHTML=\"32\"; m.src =   \"https:\/\/project.inria.fr\/espdms\/files\/2022\/03\/POI_8.jpeg\";  p.innerHTML=\"08\";\n}\n<\/script>\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In this game, the employer&#8217;s App leverages its execution privilege to try to leak Points Of Interest of the user. Two versions of a malicious Data Task are available and they leak data differently. The goal here is to run both versions and explain the malicious data tasks logic and\u2026<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/project.inria.fr\/espdms\/game3\/\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":67,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-204","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/pages\/204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/comments?post=204"}],"version-history":[{"count":77,"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/pages\/204\/revisions"}],"predecessor-version":[{"id":1167,"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/pages\/204\/revisions\/1167"}],"wp:attachment":[{"href":"https:\/\/project.inria.fr\/espdms\/wp-json\/wp\/v2\/media?parent=204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}