Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: THEend8_
EXAM CODES: FIT3173
TITLE OF PAPER: SOFTWARE SECURITY
AUTHORISED MATERIALS
OPEN BOOK o YES ✓ NO
CALCULATORS o YES ✓ NO
SPECIFICALLY PERMITTED ITEMS
if yes, items permitted are:
o YES ✓ NO
Candidates must complete this section if required to write answers within this paper
STUDENT ID: DESK NUMBER:
Page 2 of 6
Final exam will contain: Part A (10 marks), Part B (10 marks), Part C (40 marks) = 60
marks total. The final assessment will take place on the eAssessment platform
PART A (10 marks) (Sample)
Please answer Part A on the Multiple Answer Sheet provided.
Note: the Final Assessment question difficulty may vary from the sample
TRUE/FALSE questions
1. Initialized global variables are stored in stack.
a) True
b) False
2. Address Randomization is a mitigation for buffer overflow in stack.
a) True
b) False
3. In a 32 bits operating system, the range of an unsigned integer number is 0 - 232-1
a) True
b) False
4. Getting random seed directly from time of microseconds is considered secure.
a) True
b) False
5. In AES, ECB mode is more robust than CBC mode when data loss happens during transmission.
a) True
b) False
6. Web application server is the target of SQL injection attacks.
a) True
b) False
7. SQL injection can compromise both data confidentiality and data integrity.
a) True
b) False
8. The malicious script in XSS attacks are executed in the victim server.
a) True
b) False
9. CSRF attacks can cause malicious actions to the victim server without being captured by users.
Page 3 of 6
a) True
b) False
10. Threat modelling cannot help address vulnerabilities before software implementation.
a) True
b) False
PART B (10 marks) (Sample)
Please answer Part B on the Multiple Answer Sheet provided.
Note: the Final Assessment question difficulty may vary from the sample
Single answer questions.
11. Which of the following statements is correct about the return address in a function call?
a) It is a pointer that points to the instruction for a return statement inside a function.
b) The return address is for transferring control between function calls.
c) The return address is saved in the stack frame and cannot be modified during runtime.
12. Which of the following statements is correct about race condition vulnerability?
a) It stems from concurrent data access.
b) Repeating check and use can eliminate this threat.
c) Using atomic operations for file open and use is not useful to mitigate this vulnerability.
13. Which following line number possibly causes buffer overflow?
1. void askQuestion(){
2. char user_answer[2];
3. char *s; int n, i;
4. printf("Is this code secure? Please answer yes, no, or no idea:");
5. gets(user_answer);
6. n = sizeof(user_answer)/sizeof(char);
7. s = (char*) malloc(n* sizeof(char));
8. for (i=0; i<=n; i++)
9. s[i] = 'A' + (random() % 26);
10. }
a) Lines 3 and 5
b) Lines 6 and 8
c) Lines 6 and 9
d) Lines 5 and 8
14. What does a "NOP sled" (opcode = 0x90) instruction do?
a) Terminate the program
b) Does nothing, asking the program to move on
c) Ask the program to move back to previous instruction
15. Which of the following statement is not true regarding the XSS attacks?
a) The attacker can run arbitrary JavaScript code on the victim’s machine
b) The attack can happen if the user performs certain actions, i.e., clink links or access
malicious contents
c) The attack cannot persistently infect the target server
Page 4 of 6
2
4
16. Which of the following countermeasures cannot mitigate CSRF attacks?
a) Use origin header or referrer URL
b) Use random nonce to verify the http requests
c) Escape special characters in the user’s input
17. Which of the following is not the direct consequence of SQL injection?
a) Data deletion.
b) Data decryption.
c) Data leakage.
18. Which of the following is not true for AES?
a) It operates on 128-bit block
b) The key size can be 64-bit, 128-bit, 192-bit or 256-bit
c) The IV in AES modes can be reused for encryption and decryption if the software wants
to implement deterministic encryption in certain applications
19. What is the advantage of using Static Code Analyzers?
a) It can find the design level vulnerabilities
b) It can find common bugs quickly
c) It can detect all bugs
20. Which of the following descriptions about STRIDE is not correct?
a) Spoofing can be exploited to comprise the authentication protocol of a website.
b) Tampering threat will break the integrity of the data.
c) Data confidentiality can be influenced by Denial of Service attacks.
PART C (23 marks)(Sample)
It will be 40 marks in the final assessment
Please answer Part C in the script books provided.
Note: the Final Assessment question difficulty may vary from the sample. The Final
Assessment may have more questions in this section.
Q1) Consider the following data flow diagram for a personal cloud file storage system such as `Google
Drive’. Select one of the five labelled elements in this diagram, and for each element consider one threat to
the user’s security. For each threat, write: (1) The threat target, (2) The threat category in terms of the
STRIDE categories, (3) A brief description of the threat and the assumed identity/capability of the attacker,
and (4) Proposed mitigation techniques for the threat.
(4 marks)
File Storage System 5
1
2
Upload
Download
3
4
Write
Read
Q2) The following function, written in the C language, is called by a program to authenticate a user logging
in to use a restricted software service. Review the function code and identify two potential vulnerabilities in
it. Explain (1) with an example what part of the code how each vulnerability might be exploited, (2) any
assumptions needed for the exploit to work, and (3) how each vulnerability could be fixed.
(2 x 3 = 6 marks)
1 int login_check(char *user, char *password) {
2 int is_auth = 0;
3 char tmp_pwd[32];
4 char tmp_usr[32];
5
6 strcpy(tmp_pwd, password);
7 strcpy(tmp_usr, user);
8
9 if((strcmp(tmp_usr, "john") == 0) && (strcmp(tmp_pwd, "beaut") == 0))
10 is_auth = 1;
11 if((strcmp(tmp_usr, "pam") == 0) && (strcmp(tmp_pwd, "aper4g") == 0))
12 is_auth = 1;
13
14 return is_auth;
15 }
Q3) If you consider to design a software to encrypt the following text via AES, “Monash IT partners with
diverse organizations: Whether you are a government organization, big business, start-up or community
organization, collaborative projects are a cost-effective way to make the latest technologies accessible, build
internal capabilities, implement best practice and get the edge on the competition. Monash University has a
high international profile, renowned for producing groundbreaking research. Engage our talent. We have
initiated and led remarkable discoveries, as well as successful start-up companies. We are keen to work with
any organization interested in”, will ECB mode be secure for encryption? Please explain the reason. If not,
what mode will you adopt for encryption? Please explain the reason. (2 + 2 = 4 marks)
Q4) Consider the following C code that plans to perform copy operation. Review the code, and identify the
vulnerability in it. Explain (1) where it occurs in the code (and any assumptions you are making), (2) how it
could be exploited, and (3) suggest a good practice for preventing it.
1 int copy_something(char *buf, int len){
2 char kbuf[800];
3 if(len > sizeof(kbuf)){
4 return -1;
5 }
6
7 memcpy(kbuf, buf, len);
8 return 1;
9 }
Q5) A table users(uid, name, password) is constructed in a SQL database. The below program constructs an
SQL statement to retrieve password of a given username in that table. Assuming that runSQL function
(String query) is already developed. The function takes a string in sql format and executes it with SQL
database server. The program contains two vulnerabilities. Identify them and provide your mitigation
solutions. Besides, what value of the input username can be used to retrieve the password of a user whose uid
= 1? (4 + 2 = 6 marks)
void main(int argc, char *argv[])
{
char *username = argv[2];
char query[50] = {0};
if(username!=NULL && strlen(username))
{