Search for question
Question

Faculty of Technology, Design & Environment Assessment cover OXFORD BROOKES UNIVERSITY STUDENTS, PLEASE COPY THIS PAGE AND USE AS THE COVER PAGE FOR YOUR SUBMISSION Module No: COMP 7025 Module title: Secure Programming Assessment title : Blog Site Due date and time: Estimated total time to be spent on assignment: Friday 3rd May 2024 at 1pm 40 hours per student (excludes 112 hours for independent / directed study) LEARNING OUTCOMES On successful completion of this module, students will be able to achieve the module following learning outcomes (LOS): LO numbers and text copied and pasted from the module descriptor. LO2 Have a thorough understanding of the main attack vectors, commonly used to attack software, and be able to design and implement software that reduces the likelihood of those vulnerabilities being exploitable. LO3 LO4 LO5 Conduct a detailed and critical analysis of existing software and utilise the results to produce secure modifications to treat, or mitigate, any vulnerabilities found. Design and implement concurrent and distributed software which operates in hostile environments. Design and implement secure software that utilises the underlying security model of the OS and hardware architecture. M1 Engineering Council AHEP4 LOs assessed (from S1 2022-23): Apply a comprehensive knowledge of mathematics, statistics, natural science and engineering principles to the solution of complex problems. Much of the knowledge will be at the forefront of School of Engineering, Computing & Mathematics M2 M3 M4 M5 the particular subject of study and informed by a critical awareness of new developments and the wider context of engineering Formulate and analyse complex problems to reach substantiated conclusions. This will involve evaluating available data using first principles of mathematics, statistics, natural science and engineering principles, and using engineering judgement to work with information that may be uncertain or incomplete, discussing the limitations of the techniques employed Select and apply appropriate computational and analytical techniques to model complex problems, discussing the limitations of the techniques employed Select and critically evaluate technical literature and other sources of information to solve complex problems Design solutions for complex problems that evidence some originality and meet a combination of societal, user, business and customer needs as appropriate. This will involve consideration of applicable health & safety, diversity, inclusion, cultural, societal, environmental and commercial matters, codes of practice and industry standards Statement of Compliance I hereby declare that the work submitted is my own and that the work I submit is fully in accordance with the University regulations regarding assessments (www.brookes.ac.uk/uniregulations/current) School of Engineering, Computing & Mathematics FORMATIVE FEEDBACK OPPORTUNITIES In the Week 8 practical session you will demonstrate that you are making progress on the software development so that advice can be given if you are not; the work must be uploaded to the repository before the practical session. Advice will also be available in the module leader's office hours and at the end of the practicals for each week. The practicals contain exercises that focus on aspects of the software development and also the security analysis. You will be given feedback on how well you are performing on these tasks. SUMMATIVE FEEDBACK DELIVERABLES Deliverable description and instructions Upload your report to Moodle (Turnitin link) with the coversheet provided before the due date. Your report should contain all of your code for both the security analysis (i.e. the original code as modified by you) and the software development. All of your code should be in an appendix to your report in addition to any code extracts quoted in the report. Code should be pasted; screengrabs containing code must not be used and will not be marked. The code for the software development must be uploaded to a GitHub repository that will be given to you. You will demonstrate that this code meets the functional requirements in the Week 12 practical session. You will also do an interim demonstration in the Week 8 practical session. Security Analysis-Preliminaries: Weighting out of 100% 10% Reverse engineer documentation for the source code. Comment it clearly with all the assumptions it makes about program inputs and other variables, including full documentation of each function including assumptions made about parameters. Security Analysis-Issues Found 20% Explain four security flaws that you have found and their implications. You will be marked on your understanding of the code and the potential attack vectors against secure software. Security Analysis-Fixes: 10% Fix two of the security flaws. You will be marked in the quality of the fix. Security Analysis-Conclusion: Summarise the issues found, run the modified program through a static analyser like splint and reflect on what you have seen. Discuss the implications of not fix the two flaws you have left unfixed and provide an estimate of the resources required to fix them. School of Engineering, Computing & Mathematics 5% Software Development-Interim Demonstration This is an early assessment in the Week 8 practical designed to make sure that you can work with the software needed to complete this coursework. The task is to write and run a program that extracts the contents of an SQL table and prints it as an attractively formatted HTML table. You will also need to explain how you did it, show your database design (which should be completed by that point) and explain your future plans for implementing the rest of the requirements, giving details of both the static and the dynamically-created web pages and of the cpp files that compile into programs that create the latter. Software Development-Design: Give your design, explaining why you believe this will produce software that is maintainable and secure, responsive and easy to use. Software Development-Functional Requirements Implement requirements FR1-FR3, each of which has equal importance to the marks. The code should be commented appropriately, be concise, and have appropriate naming. With regard to concision, functions and header files should be used to reduce the amount of duplicated code. Software Development-Security Requirements: Implement requirements SR1-SR8, each of which has equal importance to the marks. The code should be commented appropriately, be concise, and have appropriate naming. Software Development-Audit: Demonstrate that all of the security requirements have been met and, related to this, explain how you would approach the website from the perspective of an attacker. You will be marked, respectively, according to rigour of your testing of these security requirements and the evidence you have learned more than is just in the lectures. You should also reflect on what you have learned and what you would do differently next time. Bonus Marks from Semester 1 session Installing lubuntu, compiling Hello World and making first upload to GitHub repository. 4% 4% 3x3=9% 8x3=24% 9% 5% Marking grid and peer marking form are attached at the end of this assignment. ASSIGNMENT IN DETAIL: OUTLINE The coursework is in two parts: 1. A security analysis, to see whether you can discover and fix security flaws in other people's code 2. A software development, requiring you to build secure software from scratch School of Engineering, Computing & Mathematics SECURITY ANALYSIS You have been given a program, consisting of three files prog.c, utils.c and utils.h, with several security flaws. You can compile and run the code on the VM that you have been given but you will need to examine the source code itself (which the attacker has access to) and think carefully about how it works, including any assumptions that are made about inputs. You have to identify four security flaws and fix two of them. The commands to compile and run the files are: gcc -o prog.o prog.c utils.c ./prog.o The program is intended to store for every user a blog post which can be uprated or downrated by the other users. The blog posts are stored in text files which the user does not have direct access to. A separate user called admin (short for administrator) has the power to create new users, set the password for the new user and give them a blank blog post to edit. Note that we are looking for security issues, rather than bugs or usability flaws. It's up to you to decide which ones you want to fix, according to how well you feel you can fix them. SOFTWARE DEVELOPMENT The software you are writing is a CGI program written in C++. This means that it is running on a web server and it will be accessed through a web interface. You have been given a virtual machine with software that you need pre-installed together with all the necessary libraries including CGICC. You may use alternatives to CGICC if you wish but you must check with the module leader first. In any case, you must use C++ and submissions not using C++ will not be marked. Similarly, you have been given the MariaDB Connector library and may only use alternatives to it if you have the module leader's permission. The function of the software is a blog post management system. Users will use it to view blog posts, rate blog posts up and down and to create their own blog posts. One user will be the administrator and they will have the ability to create new users and set passwords for them. FUNCTIONAL REQUIREMENTS FOR SOFTWARE DEVELOPMENT Name FR1 FR2 FR3 Requirement A user can view and edit their own blog posts. A user can view the blog posts of other users and uprate or downrate them. The administrator can create new user accounts and set passwords and email addresses for them. SECURITY REQUIREMENTS FOR SOFTWARE DEVELOPMENT School of Engineering, Computing & Mathematics