Blog

工程|SECURED SOFTWARE ENGINEERING (COMPSCI 5104)

Wednesday 27th April 2022
09:30 – 11:00 BST
Duration: 1 hour 30 minutes
Additional time: 30 minutes
Timed exam – fixed start time
DEGREES OF MRes, MSc, MSci, MEng, BEng, BSc, MA and MA (Social Sciences)
SECURED SOFTWARE ENGINEERING
(COMPSCI 5104)
Answer All 3 Questions
This examination paper is an online, open book assessment
and is worth a total of 60 marks.
For this exam you will often be required to provide justification or rationale for answers to
attain the available marks for the questions. It is recommended you provide answers that
do not exceed 150 words to maximise the time available in the exam.
1. (a) You are part of a development team and one of your colleagues has proposed utilising a
sound static analyser. Discuss what this is, the impact this decision will have and whether
it will speed up the development process. [4]
(b) Discuss the relation between variable trust state and the attack surface of a codebase. [3]
(c) A client has implemented an authentication mechanism that fetches credentials from a
network share, they do not believe that DOS attacks will cause issues with the mechanism.
Justify whether they are correct. [3]
(d) Illustrate whether there are any implicit or explicit illegal flows/solutions within the
following code snippet on the following page:
A separate pdf document has been provided for you to annotate if you wish. You may also
type the solution in the answer booklet, similar to how the AE1 coursework model answers
were presented. You may also write out the solution by hand diagrammatically and upload
a copy of this electronically as part of the exam submission.
You only need to illustrate a single path identifying explicit/implicit illegal flow/solutions.
If there are no explicit or implicit illegal flows/solutions, illustrate one path and explain
why there is no problem. [10]
1 CONTINUED OVERLEAF
1 / / assumed i n s t a n t i a t e d
2 p r i v a t e HashMap mapping ;
3
4 / / d e cl a r e d , n ot i n s t a n t i a t e d
5 p r i v a t e S t r i n g [ ] devCodes ;
6 p r i v a t e S t r i n g e x t r a ;
7
8 / / i n p u t p a r a m et e r s assumed u n t a i n t e d
9 p u bli c S t r i n g a p p e n d S i g n a t u r e s ( S t r i n g data , S t r i n g s i g n a t u r e ) {
10 i f ( ! mapping . c o n t a i n s K e y ( s i g n a t u r e ) ) {
11 s i g n a t u r e = g e t S i g n a t u r e ( s i g n a t u r e ) ;
12 e x t r a = ” [ s i g n a t u r e n o t i n HashMap ] ” ;
13 }
14 i f ( ! i s D a t a V a l i d ( d a t a ) ) {
15 System . e r r . p r i n t l n ( ” e r r o r ” ) ;
16 r e t u r n n u l l ;
17 } e l s e {
18 d a t a = d a t a + s i g n a t u r e + e x t r a ;
19 }
20 r e t u r n d a t a ;
21 }
22
23 p r i v a t e b o ole an i s D a t a V a l i d ( S t r i n g d a t a ) {
24 i f ( d a t a . l e n g t h ( ) <= 8) 25 r e t u r n f a l s e ; 26 r e t u r n t r u e ; 27 } 28 29 / / assumed i n s t a n t i a t e d 30 S t r i n g fileName ; 31 32 p r i v a t e S t r i n g g e t S i g n a t u r e ( S t r i n g d a t a ) { 33 t r y { 34 F i l e I n p u t S t r e a m f i l e = new F i l e I n p u t S t r e a m ( fileName ) ; 35 O b j e c t I n p u t S t r e a m i n = new O b j e c t I n p u t S t r e a m ( f i l e ) ; 36 37 devCodes = ( S t r i n g [ ] ) i n . r e a d O b j e c t ( ) ; 38 f o r ( S t r i n g code : devCodes ) { 39 i f ( code == d a t a ) { 40 r e t u r n code ; 41 } 42 } 43 i n . c l o s e ( ) ; 44 f i l e . c l o s e ( ) ; 45 } c a t c h ( E x c e p t i o n e ) { 46 System . e r r . p r i n t l n ( ” something went wrong ” ) ; 47 } 48 49 r e t u r n d a t a ; 50 } 2 CONTINUED OVERLEAF 2. (a) You are consulting with a client who has expressed concern over the use of AES. They tell you that they believe AES is not secure because the algorithm is public knowledge. Justify whether their concerns are valid. [5] (b) The next question concerns the following scenario: You are being asked to consult with a start-up who are looking to put together a security policy. You are told that there are three Confidentiality levels ordered in the following lattice model: Dev < Eng < Arc Such that ’Arc’ is the highest security level. Further, there are three Integrity levels ordered in the following lattice model: DC < EB < IF Such that ’IF’ is the highest security level. There are three Confidentiality categories TA, TB and TC. Table 1 illustrates the Confidentiality security levels and category sets, whilst table 2 illustrates the associated Integrity security levels. Object Confidentiality Security Level Confidentiality Category Set S1 Dev (TA,TC) S2 Dev (TA) S3 Arc (TC) O1 Dev /0 O2 Eng (TB,TC) O3 Dev (TA,TB,TC) O4 Dev (TB) Table 1: A security model indicating subject and object confidentiality levels and associated category sets. Object Integrity Security Level S1 IF S2 DC S3 IF O1 DC O2 IF O3 EB O4 EB Table 2: A security model indicating the Integrity levels associated with objects. 3 CONTINUED OVERLEAF O1 O2 O3 O4 S1 S2 S3 Table 3: Use this to indicate appropriate permissions. Fill out table 3 to indicate all applicable permissions when the following are applied: Simple Security Property. Star Property. Simple Integrity Property. You can assume all required discretionary access has been provided. Treat the combination as a loose model (i.e. only one of the models needs to provide a relation for the relation to be valid) [10] (c) Discuss whether it is possible to implement an AES algorithm without applying Galois multiplication lookup tables. [5] 4 CONTINUED OVERLEAF 3. (a) You are part of a security team implementing a TDES solution to work with legacy software. Your peer has created two master keys K1 and K2 where K1 = K2. Discuss the consequences of applying these keys for encryption. [5] (b) One of your colleagues has implemented a hardware module to perform DES encryption. They argue that a hardware implementation is more resilient than implementing DES in software. Justify whether they are correct. [5] (c) Consider Figure 1 which provides a model indicating different actions that are performed between a user and three applications: OneDrive Drawing Application User Social Application grant read/write to OneDrive import photos export photos share photos to Social Application Figure 1: A sequence diagram indicating the interactions a user has with multiple applications online. You are consulting with the developer of the drawing application who wishes to implement the implicit authorization flow from the OAuth 2.0 specification. They are keen to identify their priorities to management when responding to a threat analysis. Argue which modelling technique would be best to meet their needs. [5] (d) Your colleague is looking to create a custom message digest. They have implemented a variant of the SHA-2 algorithm and are utilising an Elliptic-Curve generator to create random constants in favour of prime numbers. Argue whether this is a good approach to take. [5] 5 END OF QUESTION PAPER

Image from WordPress Media