faculty of technology design and environment assessment cover oxford b
Search for question
Question
Faculty of Technology, Design & Environment
Assessment cover
OXFORD
BROOKES
UNIVERSITY
STUDENTS, PLEASE COPY THIS PAGE AND USE AS THE COVER PAGE FOR YOUR SUBMISSION
Module No: COMP 7025 Module title:
Secure Programming
Assessment title :
Blog Site
Due date and time:
Estimated total time to be spent on assignment:
Friday 3rd May 2024 at 1pm
40 hours per student (excludes 112 hours for
independent / directed study)
LEARNING OUTCOMES
On successful completion of this module, students will be able to achieve the module following
learning outcomes (LOS): LO numbers and text copied and pasted from the module descriptor.
LO2 Have a thorough understanding of the main attack vectors, commonly used to attack software,
and be able to design and implement software that reduces the likelihood of those vulnerabilities
being exploitable.
LO3
LO4
LO5
Conduct a detailed and critical analysis of existing software and utilise the results to produce
secure modifications to treat, or mitigate, any vulnerabilities found.
Design and implement concurrent and distributed software which operates in hostile
environments.
Design and implement secure software that utilises the underlying security model of the OS and
hardware architecture.
M1
Engineering Council AHEP4 LOs assessed (from S1 2022-23):
Apply a comprehensive knowledge of mathematics, statistics, natural science and engineering
principles to the solution of complex problems. Much of the knowledge will be at the forefront of
School of Engineering, Computing & Mathematics M2
M3
M4
M5
the particular subject of study and informed by a critical awareness of new developments and
the wider context of engineering
Formulate and analyse complex problems to reach substantiated conclusions. This will involve
evaluating available data using first principles of mathematics, statistics, natural science and
engineering principles, and using engineering judgement to work with information that may be
uncertain or incomplete, discussing the limitations of the techniques employed
Select and apply appropriate computational and analytical techniques to model complex
problems, discussing the limitations of the techniques employed
Select and critically evaluate technical literature and other sources of information to solve
complex problems
Design solutions for complex problems that evidence some originality and meet a combination
of societal, user, business and customer needs as appropriate. This will involve consideration
of applicable health & safety, diversity, inclusion, cultural, societal, environmental and
commercial matters, codes of practice and industry standards
Statement of Compliance
I hereby declare that the work submitted is my own and that the work I submit is fully in accordance with the
University regulations regarding assessments (www.brookes.ac.uk/uniregulations/current)
School of Engineering, Computing & Mathematics FORMATIVE FEEDBACK OPPORTUNITIES
In the Week 8 practical session you will demonstrate that you are making progress on the software
development so that advice can be given if you are not; the work must be uploaded to the repository before
the practical session. Advice will also be available in the module leader's office hours and at the end of the
practicals for each week. The practicals contain exercises that focus on aspects of the software
development and also the security analysis. You will be given feedback on how well you are performing
on these tasks.
SUMMATIVE FEEDBACK DELIVERABLES
Deliverable description and instructions
Upload your report to Moodle (Turnitin link) with the coversheet provided before the due
date. Your report should contain all of your code for both the security analysis (i.e. the
original code as modified by you) and the software development. All of your code should
be in an appendix to your report in addition to any code extracts quoted in the report. Code
should be pasted; screengrabs containing code must not be used and will not be marked.
The code for the software development must be uploaded to a GitHub repository that will
be given to you. You will demonstrate that this code meets the functional requirements in
the Week 12 practical session. You will also do an interim demonstration in the Week 8
practical session.
Security Analysis-Preliminaries:
Weighting
out of 100%
10%
Reverse engineer documentation for the source code. Comment it clearly with all the
assumptions it makes about program inputs and other variables, including full
documentation of each function including assumptions made about parameters.
Security Analysis-Issues Found
20%
Explain four security flaws that you have found and their implications. You will be marked
on your understanding of the code and the potential attack vectors against secure software.
Security Analysis-Fixes:
10%
Fix two of the security flaws. You will be marked in the quality of the fix.
Security Analysis-Conclusion:
Summarise the issues found, run the modified program through a static analyser like splint
and reflect on what you have seen. Discuss the implications of not fix the two flaws you
have left unfixed and provide an estimate of the resources required to fix them.
School of Engineering, Computing & Mathematics
5% Software Development-Interim Demonstration
This is an early assessment in the Week 8 practical designed to make sure that you can
work with the software needed to complete this coursework.
The task is to write and run a program that extracts the contents of an SQL table and prints
it as an attractively formatted HTML table. You will also need to explain how you did it,
show your database design (which should be completed by that point) and explain your
future plans for implementing the rest of the requirements, giving details of both the static
and the dynamically-created web pages and of the cpp files that compile into programs
that create the latter.
Software Development-Design:
Give your design, explaining why you believe this will produce software that is maintainable
and secure, responsive and easy to use.
Software Development-Functional Requirements
Implement requirements FR1-FR3, each of which has equal importance to the marks. The
code should be commented appropriately, be concise, and have appropriate naming. With
regard to concision, functions and header files should be used to reduce the amount of
duplicated code.
Software Development-Security Requirements:
Implement requirements SR1-SR8, each of which has equal importance to the marks. The
code should be commented appropriately, be concise, and have appropriate naming.
Software Development-Audit:
Demonstrate that all of the security requirements have been met and, related to this,
explain how you would approach the website from the perspective of an attacker. You will
be marked, respectively, according to rigour of your testing of these security requirements
and the evidence you have learned more than is just in the lectures. You should also reflect
on what you have learned and what you would do differently next time.
Bonus Marks from Semester 1 session
Installing lubuntu, compiling Hello World and making first upload to GitHub repository.
4%
4%
3x3=9%
8x3=24%
9%
5%
Marking grid and peer marking form are attached at the end of this assignment.
ASSIGNMENT IN DETAIL: OUTLINE
The coursework is in two parts:
1. A security analysis, to see whether you can discover and fix security flaws in other
people's code
2. A software development, requiring you to build secure software from scratch
School of Engineering, Computing & Mathematics SECURITY ANALYSIS
You have been given a program, consisting of three files prog.c, utils.c and utils.h, with several security
flaws. You can compile and run the code on the VM that you have been given but you will need to examine
the source code itself (which the attacker has access to) and think carefully about how it works, including
any assumptions that are made about inputs. You have to identify four security flaws and fix two of them.
The commands to compile and run the files are:
gcc -o prog.o prog.c utils.c
./prog.o
The program is intended to store for every user a blog post which can be uprated or downrated by the
other users. The blog posts are stored in text files which the user does not have direct access to. A separate
user called admin (short for administrator) has the power to create new users, set the password for the
new user and give them a blank blog post to edit.
Note that we are looking for security issues, rather than bugs or usability flaws. It's up to you to decide
which ones you want to fix, according to how well you feel you can fix them.
SOFTWARE DEVELOPMENT
The software you are writing is a CGI program written in C++. This means that it is running on a web server
and it will be accessed through a web interface. You have been given a virtual machine with software that
you need pre-installed together with all the necessary libraries including CGICC. You may use alternatives
to CGICC if you wish but you must check with the module leader first. In any case, you must use C++ and
submissions not using C++ will not be marked. Similarly, you have been given the MariaDB Connector
library and may only use alternatives to it if you have the module leader's permission.
The function of the software is a blog post management system. Users will use it to view blog posts, rate
blog posts up and down and to create their own blog posts. One user will be the administrator and they
will have the ability to create new users and set passwords for them.
FUNCTIONAL REQUIREMENTS FOR SOFTWARE DEVELOPMENT
Name
FR1
FR2
FR3
Requirement
A user can view and edit their own blog posts.
A user can view the blog posts of other users and uprate or downrate them.
The administrator can create new user accounts and set passwords and email
addresses for them.
SECURITY REQUIREMENTS FOR SOFTWARE DEVELOPMENT
School of Engineering, Computing & Mathematics