Grading Guidelines

These are the guidelines that we try to follow when grading your submissions.

Whenever you feel that we have treated your submission unfairly and have not followed our own rules, you are encouraged to write an email to seclab@posteo.de.


Each task has a number of achievable points assigned to it.

If you submit a perfect solution, you will of course receive full points.

You cannot get negative points for a task.

If there are issues with your submission, points will be deducted as follows:

1. General issues

  1. If there is no solution at all for a task, you will be awarded 0 points for that task.
  2. If we detect that a solution for a task has been plagiarised, all involved groups will get 0 points for the whole sheet.

2. Technical issues

  1. If the solution logic is not written in pure Python 3, you will be awarded 0 points for that task.
    Examples:

    1
    2
    3
    4
    
    #!/usr/bin/env python
    
    import subprocess
    subprocess.check_output('./i_like_bash_better.sh')
    

    ☝️ Something like this will result in 0 points, because the solution logic is written in bash.

    1
    2
    3
    
    # the shellcode was created by running nasm -f elf -o shellcode shellcode.asm
    shellcode = open('./shellcode', 'rb').read()
    exploit_binary('./exploitme', shellcode)
    

    ☝️ This is ok, if the shellcode.asm source file and the shellcode binary file have been committed as well, because it is just data for the application logic in exploit_binary() (not pictured).

  2. If the solution is not executable, 1 point will be deducted.

  3. If the solution is not properly named (e.g. it is not called solution), 1 point will be deducted.

  4. If the comments are missing but would probably have helped us understand your solution, 1 point will be deducted.

  5. If the solution crashes with an error (Python Exception, Segmentation Fault, …), 1 point will be deducted.

  6. If there is more output on stdout than what is required (usually just the result FLAG{…} or a number), 1 point will be deducted. Usually, this refers to additional GDB / pwntools output.

  7. If the solution does not respect the timeout of 10 seconds, 1 point will be deducted.

  8. If the solution contains lots of unused code (commented out, not called, …), 1 point will be deducted.

  1. If the solution is completely wrong, you will be awarded 0 points for that task.

  2. If the solution is missing a crucial part, you will be awarded 0 points for that task. It is up to the tutor to decide what constitutes a crucial part, and that definition will be applied across all submissions.

  3. If the solution violates constraints or requirements from the task description, you will be awarded 0 points for that task.
    Examples:

    1. Task: “Exploit the binary and print the flag!"

      1
      2
      
      # I found the flag with Ghidra
      print("FLAG{abcdef}")
      

      ☝️ This is considered cheating because the printed result looks right, but no exploitation is being done by the solution. 0 points.

    2. Task: “Calculate (some key with some properties). Hint: Use z3 to solve the constraints!"

      1
      2
      
      key = calculate_key_but_do_not_use_z3_at_all()
      print(key)
      

      ☝️ It is not forbidden to make life harder for yourself. You may also ignore hints. If the solution is correct, you get points for this one.

    3. Task: “Calculate (some key with some properties). You must use z3 to solve the constraints!"

      1
      2
      
      key = calculate_key_but_do_not_use_z3_at_all()
      print(key)
      

      ☝️ In this case the use of the z3 library was required, so this solution would yield 0 points.

    4. Task: “Exploit (something). Do not use pwntools' pwnlib.shellcraft for this exercise!"

      1
      2
      3
      4
      5
      
      from pwnlib import shellcraft
      
      l = listen(fam='ipv6', timeout=5)
      assembly = shellcraft.i386.linux.connect('::1', l.lport, 'ipv6')
      
      

      ☝️ Whoops! This solution violates a constraint from the task description, so it would yield 0 points.

  4. For every minor mistake, 1 point will be deducted. It is up to the tutor to decide what constitutes a minor mistake, and that definition will be applied across all submissions. Remember that you cannot get negative points for a task.

Finally, here’s an illustrative example:
Task: Parse some numbers from a binary file and print the sum! (4 Points)

  • solution is not executable (technical issue, 1 point deducted)
  • first number parsed correctly
  • second number parsed with wrong endianness (content related issue, 1 point deducted)
  • third number parsed correctly
  • fourth number parsed as octal instead of hexadecimal number (content related issue, 1 point deducted)
  • sum (of the wrong numbers) calculated correctly
  • 👉 1/4 points.