Course Name: Secure Software Engineering
Course Code: COMP SCI 4412 & COMP SCI 4812 & COMP SCI 7412
Assessment Component: Assignment 3 (20%) – Individual Assessment
Release Date: 5/10/2020
Due Date: 25/10/2019 by 23:55.
Submission: MyUni Canvas .

The list of tasks for assignment 3
Part 1 (5 points)
1. Continue with the software system you used in the threat modelling case study in
the Working Session 3 ​(You must specify the group name so that we can compare
your results with the one you have done in the class)
2. Identify ​three ​ security threats in the data flow diagram
3. Perform the following the tasks
4. Briefly describe the software system you have chosen
5. Explain each security threat in details
6. Include a ​use case diagram​ containing the misuse cases related to your
identified threats (You should highlight such misuse cases.)
7. Include a ​data flow diagram containing your identified threats (You should specify
the entities, processes and data stores involved. It is ok if
some elements are missing.)
8. Assess the risk of each security threat using the threat library of EMC
and/or Common Vulnerability Scoring System (You should mention
which assessment framework you are using)
9. Describe how you can potentially fix each security threat
10. Write your findings in a report
The three security threats you report should be relevant to the system you have
been involved in the threat modelling use case in class. If any threat does not match,
we will not give any mark for it.
Part 2 (5 points)
1. Study about strings vulnerabilities, e.g. ​Buffer Overflow, Code Injection and Arc
Injection​, on Common Weakness Enumeration and related websites;
2. Identify ​three ​security threats in open-source GitHub repositories. ​Each type of
vulnerability must have at least one source code file. ​The projects must satisfy the
following conditions:
○ The programming languages must be either C or C++
○ The repository has more 100 stars and 10 contributors on GitHub
3. Include the following information about each file you have found in the report:
○ Link to the vulnerable file (commit, the file itself)
○ Link to the commit that fixes the vulnerable file
○ Name of the file
○ The programming language used in the file
○ Name of the repository
○ Number of repository stars
○ Number of contributors in the repositories
○ Type of vulnerability (CWE)
4. Pinpoint the lines within the source code files you have identified that contain Buffer
Overflow, Code Injection, or Arc Injection;
5. Also enter the information you have found in tasks 3 and 4 into the ​Google Sheets
along with your name and student ID to avoid duplicate submission;
6. Explain how the vulnerable lines correlate to the definition or causes of the
vulnerability you have studied;
7. Show how to fix the vulnerability and explain in detail. It is not mandatory that the
fix has to be executable, but the explanation must be reasonable. If there is already a
fix available, explain how this fix complies with the standard mitigation techniques
for the vulnerability.
8. Give your thoughts on the difference of the vulnerable files and fixes among the
three types of vulnerabilities you have found ( ​Do not copy from online materials​)
9. Write your findings in a report
Please visit ​Google Sheets​ to input your identified vulnerable source code files as soon as
possible after you find them. You can do the analyses and put your findings in the report
later (but still before the deadline). The student who submits earlier will claim the
authorship of the source code file and the later ones must choose a different file to work on.
In case you accidentally select the same source code file, there will be a red flag to notify
you.
Part 3 (5 points)
1. Study about frequency analysis, insecurities of textbook RSA and how to solve those
issues. Please refer to the material uploaded in MyUni.
2. Solve the following three exercises
● Mono-alphabetic substitution: you are given a ciphertext “ex1.enc”
encrypted using the mono-alphabetic substitution method. Your task is to
recover the plaintext. Hint: the key is one of the permutations of 26 English
alphabets.
● Poly-alphabetic shift: you are given a ciphertext “ex2.enc” encrypted using
the poly-alphabetic shift method. Your task is to recover the plaintext. Hint:
the key consists of 4 English alphabets, and the ciphertext contains the name
of the day of the week.
● Textbook RSA: you are given (1) Python3 script “textbook_rsa.py” which
contains functions related to textbook RSA encryption scheme (2) RSA public
key “rsa_key.pub” (3) Ciphertext “ex3.enc” encrypted using the given RSA
public key. Your task is to recover the plaintext. Hint: the plaintext consists of
3 English alphabets.
3. Write about how you solve those exercises in your report. If you cannot recover the
plaintext, explain what method you have tried and why you couldn't recover them.
For example, it is infeasible due to computing resources. The report that contains
only plaintexts without further explanation will not be marked.
Part 4 (10 points)
Background:
Since the new privacy feature in iOS, enabling users to acknowledge which app is reading or
writing to his or her clipboard through prompting notifications, was updated, a plethora of top
apps have been reported to frequently access the clipboard without user consent. However,
the lack of monitoring and control of Android application's access to the clipboard data leave
Android users blind to their potential to leak private information from Android clipboards,
raising severe security and privacy concerns.

Input Method Editor(IME) is a type of compulsory app among non-alphabet language users.
For instance, users who use Chinese, Korean and Japanese languages have to download
third-party keyboards when they start to use a new device. Therefore, privacy securities of
the keyboard, or the IME, has become a significant concern.

Tasks:
- Read and understand the provided materials in the reference list below. You are
strongly encouraged to read any other relevant papers, technique comments, news
or articles that are not included in the provided list.
- Find at least 4 Input Method Editor(IME) applications of any languages and introduce
their functionalities in your report.
- Analyse the (potential) privacy issues and security concerns in each application. You
may assess the privacy data access by these applications and evaluate whether and
how user data are leaked. You are encouraged to propose your recommendations on
how to mitigate the security and privacy issues of the apps.
- List all the references. Try to make sure your references come from trusted sources.

References:
- Steven Arz,t et al. “FlowDroid: precise context, flow, field, object-sensitive and
lifecycle-aware taint analysis for Android apps.”
https://doi.org/10.1145/2666356.2594299
- Chen, Sen, et al. "An empirical assessment of security risks of global android
banking apps."
https://arxiv.org/abs/1805.05236
- https://frida.re/
- https://github.com/MobSF/Mobile-Security-Framework-MobSF




Tips about how I would go about doing this assignment:
Part 1
I will try to work with my group mates in class to identify as many security threats as
possible in the data flow diagram. After that, I will try to relate the security threats to the
misuse cases in the use case diagram. I will also see how I can use the threat library of EMC
with CVSS (in the slides of seminar session 5 and reading material) to assess the risk of each
security threat. Then, I will think about how I can mitigate these security risks as a
developer. I can utilize the materials in seminar sessions, vulnerability demos as well as the
experience I have gained from activities 1, 2 and exercise 1 to figure out the solutions.
Finally, I will put all of the results along with relevant diagrams in the report and submit to
Canvas.
Part 2
I will choose a system and draw a use case diagram. Then, I will try to identify as many
security threats as possible in the data flow diagram. After that, I will try to relate the
security threats to the misuse cases in the use case diagram. I will also see how I can use the
threat library of EMC with CVSS (in the slides of seminar session 5 and reading material) to
assess the risk of each security threat. Then, I will think about how I can mitigate these
security risks as a developer. I can utilize the materials in seminar sessions, vulnerability
demos as well as the experience I have gained from assignment 1 and assignment 2 to figure
out the solutions. Finally, I will put all of the results along with relevant diagrams in the
report.
Part 3
I will familiarize myself with frequency analysis and cryptanalysis based on validity of English
words. I will study the given Python script and will write some scripts to check my
understanding regarding the rsa_keygen(), rsa_encrypt() and rsa_decrypt() functions. Then,
I will solve the exercises. Finally, I will explain how I tried to solve those exercises, what
methods or techniques that I used, plaintexts (and keys, if capable) that I recovered. I will
include this information in the report and submit it to Canvas.

Please note that answer without explanation would not receive any point.

How to Submit: ​The assignment will be submitted via Canvas as there is an upload
facility created for this assignment on Canvas.

This assignment is designed to help you to achieve the learning outcomes # 3 and 4 in the
course outline.



欢迎咨询51作业君