Course Name: Secure Software Engineering Course Code: COMP SCI 4412 & COMP SCI 4812 & COMP SCI 7412 Assessment Component: Assignment 3 (20%) – Individual Assessment Release Date: 5/10/2020 Due Date: 25/10/2019 by 23:55. Submission: MyUni Canvas . The list of tasks for assignment 3 Part 1 (5 points) 1. Continue with the software system you used in the threat modelling case study in the Working Session 3 (You must specify the group name so that we can compare your results with the one you have done in the class) 2. Identify three security threats in the data flow diagram 3. Perform the following the tasks 4. Briefly describe the software system you have chosen 5. Explain each security threat in details 6. Include a use case diagram containing the misuse cases related to your identified threats (You should highlight such misuse cases.) 7. Include a data flow diagram containing your identified threats (You should specify the entities, processes and data stores involved. It is ok if some elements are missing.) 8. Assess the risk of each security threat using the threat library of EMC and/or Common Vulnerability Scoring System (You should mention which assessment framework you are using) 9. Describe how you can potentially fix each security threat 10. Write your findings in a report The three security threats you report should be relevant to the system you have been involved in the threat modelling use case in class. If any threat does not match, we will not give any mark for it. Part 2 (5 points) 1. Study about strings vulnerabilities, e.g. Buffer Overflow, Code Injection and Arc Injection, on Common Weakness Enumeration and related websites; 2. Identify three security threats in open-source GitHub repositories. Each type of vulnerability must have at least one source code file. The projects must satisfy the following conditions: ○ The programming languages must be either C or C++ ○ The repository has more 100 stars and 10 contributors on GitHub 3. Include the following information about each file you have found in the report: ○ Link to the vulnerable file (commit, the file itself) ○ Link to the commit that fixes the vulnerable file ○ Name of the file ○ The programming language used in the file ○ Name of the repository ○ Number of repository stars ○ Number of contributors in the repositories ○ Type of vulnerability (CWE) 4. Pinpoint the lines within the source code files you have identified that contain Buffer Overflow, Code Injection, or Arc Injection; 5. Also enter the information you have found in tasks 3 and 4 into the Google Sheets along with your name and student ID to avoid duplicate submission; 6. Explain how the vulnerable lines correlate to the definition or causes of the vulnerability you have studied; 7. Show how to fix the vulnerability and explain in detail. It is not mandatory that the fix has to be executable, but the explanation must be reasonable. If there is already a fix available, explain how this fix complies with the standard mitigation techniques for the vulnerability. 8. Give your thoughts on the difference of the vulnerable files and fixes among the three types of vulnerabilities you have found ( Do not copy from online materials) 9. Write your findings in a report Please visit Google Sheets to input your identified vulnerable source code files as soon as possible after you find them. You can do the analyses and put your findings in the report later (but still before the deadline). The student who submits earlier will claim the authorship of the source code file and the later ones must choose a different file to work on. In case you accidentally select the same source code file, there will be a red flag to notify you. Part 3 (5 points) 1. Study about frequency analysis, insecurities of textbook RSA and how to solve those issues. Please refer to the material uploaded in MyUni. 2. Solve the following three exercises ● Mono-alphabetic substitution: you are given a ciphertext “ex1.enc” encrypted using the mono-alphabetic substitution method. Your task is to recover the plaintext. Hint: the key is one of the permutations of 26 English alphabets. ● Poly-alphabetic shift: you are given a ciphertext “ex2.enc” encrypted using the poly-alphabetic shift method. Your task is to recover the plaintext. Hint: the key consists of 4 English alphabets, and the ciphertext contains the name of the day of the week. ● Textbook RSA: you are given (1) Python3 script “textbook_rsa.py” which contains functions related to textbook RSA encryption scheme (2) RSA public key “rsa_key.pub” (3) Ciphertext “ex3.enc” encrypted using the given RSA public key. Your task is to recover the plaintext. Hint: the plaintext consists of 3 English alphabets. 3. Write about how you solve those exercises in your report. If you cannot recover the plaintext, explain what method you have tried and why you couldn't recover them. For example, it is infeasible due to computing resources. The report that contains only plaintexts without further explanation will not be marked. Part 4 (10 points) Background: Since the new privacy feature in iOS, enabling users to acknowledge which app is reading or writing to his or her clipboard through prompting notifications, was updated, a plethora of top apps have been reported to frequently access the clipboard without user consent. However, the lack of monitoring and control of Android application's access to the clipboard data leave Android users blind to their potential to leak private information from Android clipboards, raising severe security and privacy concerns. Input Method Editor(IME) is a type of compulsory app among non-alphabet language users. For instance, users who use Chinese, Korean and Japanese languages have to download third-party keyboards when they start to use a new device. Therefore, privacy securities of the keyboard, or the IME, has become a significant concern. Tasks: - Read and understand the provided materials in the reference list below. You are strongly encouraged to read any other relevant papers, technique comments, news or articles that are not included in the provided list. - Find at least 4 Input Method Editor(IME) applications of any languages and introduce their functionalities in your report. - Analyse the (potential) privacy issues and security concerns in each application. You may assess the privacy data access by these applications and evaluate whether and how user data are leaked. You are encouraged to propose your recommendations on how to mitigate the security and privacy issues of the apps. - List all the references. Try to make sure your references come from trusted sources. References: - Steven Arz,t et al. “FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps.” https://doi.org/10.1145/2666356.2594299 - Chen, Sen, et al. "An empirical assessment of security risks of global android banking apps." https://arxiv.org/abs/1805.05236 - https://frida.re/ - https://github.com/MobSF/Mobile-Security-Framework-MobSF Tips about how I would go about doing this assignment: Part 1 I will try to work with my group mates in class to identify as many security threats as possible in the data flow diagram. After that, I will try to relate the security threats to the misuse cases in the use case diagram. I will also see how I can use the threat library of EMC with CVSS (in the slides of seminar session 5 and reading material) to assess the risk of each security threat. Then, I will think about how I can mitigate these security risks as a developer. I can utilize the materials in seminar sessions, vulnerability demos as well as the experience I have gained from activities 1, 2 and exercise 1 to figure out the solutions. Finally, I will put all of the results along with relevant diagrams in the report and submit to Canvas. Part 2 I will choose a system and draw a use case diagram. Then, I will try to identify as many security threats as possible in the data flow diagram. After that, I will try to relate the security threats to the misuse cases in the use case diagram. I will also see how I can use the threat library of EMC with CVSS (in the slides of seminar session 5 and reading material) to assess the risk of each security threat. Then, I will think about how I can mitigate these security risks as a developer. I can utilize the materials in seminar sessions, vulnerability demos as well as the experience I have gained from assignment 1 and assignment 2 to figure out the solutions. Finally, I will put all of the results along with relevant diagrams in the report. Part 3 I will familiarize myself with frequency analysis and cryptanalysis based on validity of English words. I will study the given Python script and will write some scripts to check my understanding regarding the rsa_keygen(), rsa_encrypt() and rsa_decrypt() functions. Then, I will solve the exercises. Finally, I will explain how I tried to solve those exercises, what methods or techniques that I used, plaintexts (and keys, if capable) that I recovered. I will include this information in the report and submit it to Canvas. Please note that answer without explanation would not receive any point. How to Submit: The assignment will be submitted via Canvas as there is an upload facility created for this assignment on Canvas. This assignment is designed to help you to achieve the learning outcomes # 3 and 4 in the course outline.
欢迎咨询51作业君