EXAM CODES: TITLE OF PAPER: EXAM DURATION:
2022 Semester One (June 2022) Examination Period
Faculty of Information Technology
FIT3173 (sample exam)
Copyright By PowCoder代写 加微信 powcoder
Software Security
2 hours 10 minutes
AUTHORISED MATERIALS
CALCULATORS
SPECIFICALLY PERMITTED ITEMS if yes, items permitted are:
YES YES YES
✓NO ✓ NO ✓NO
Office Use Only
THIS PAPER IS FOR STUDENTS STUDYING AT: (tick where applicable)
Caulfield ✓Clayton Parkville Peninsula Monash Extension Off Campus Learning Malaysia Sth Africa Other (specify)
During an exam, you must not have in your possession any item/material that has not been authorised for your exam. This includes books, notes, paper, electronic device/s, mobile phone, smart watch/device, calculator, pencil case, or writing on any part of your body. Any authorised items are listed
below. Items/materials on your desk, chair, in your clothing or otherwise on your person will be deemed to be in your possession.
No examination materials are to be removed from the room. This includes retaining, copying, memorising or noting down content of exam material for personal use or to share with any other person by any means following your exam.
Failure to comply with the above instructions, or attempting to cheat or cheating in an exam is a discipline offence under Part 7 of the Monash University (Council) Regulations, or a breach of instructions under Part 3 of the Monash University (Academic Board) Regulations.
Candidates must complete this section if required to write answers within this paper
STUDENT ID: __ __ __ __ __ __ __ __ DESK NUMBER: __ __ __ __ __
Page 1 of 4
Final exam contents: Part I (10 marks), Part II (10 marks), Part III (40 marks) = 60
marks total.
PART I (5 marks) (Sample)
TRUE/FALSE questions (Final exam will contain 10 questions)
1. Getting random seed directly from time of microseconds is considered secure a) True
2. StackShield brings compatibility issues to the program.
a) True b) False
3. CSRF attacks can cause malicious actions to the victim server without being captured by users.
4. Tampering threat will break the integrity of the data. a) True
5. Risk-based testing can identify security issues in the design level.
a) True b) False
Page 2 of 4
PART II (5 marks) (Sample) Multiple-choice questions. (Final exam will contain 10 questions)
What are the causes of SQL injection?
a) Treating user data as code
b) Treating users as always honest
c) Unfiltered user inputs
d) All of the above
Which following line number possibly causes buffer overflow?
1. void askQuestion(){
2. char user_answer[2];
3. char *s; int n, i;
4. printf(“Is this code secure? Please answer yes, no, or no idea:”);
5. gets(user_answer);
6. n = sizeof(user_answer) / sizeof(char);
7. s = (char*) malloc(n* sizeof(char));
8. for (i = 0; i <= n; i++)
a) Lines 3 and 5 b) Lines 6 and 8 c) Lines 6 and 9 d) Lines 5 and 8
What is the advantage of using Static Code Analysers? a) It can find the design level vulnerabilities
b) It can find common bugs quickly
c) It can detect all bugs
d) It can test the security of software under real-world adversarial environments
Which of the following options are not the examples for trust boundaries?
a) Machine boundaries
b) Privilegeboundaries
c) Integrity boundaries
d) Threads in a native process
What security properties does Intel SGX offer?
a) Providing the integrity protection to CPU processor and memory under any physical attacks
b) Providing an isolated execution environment to guarantee integrity and confidentiality of code and data
c) Authentic guarantee to run the application with the root privilege
d) All of the above
s[i] = 'A' + (random() % 26);
Page 3 of 4
PART III (13 marks) (Sample) (Final exam will contain 7 questions)
Q1) Consider the following data flow diagram for a personal cloud file storage system such as `Google Drive’. Select one of the five labelled elements in this diagram, and for each element consider one threat to the user’s security. For each threat, write: (1) The threat target, (2) The threat category in terms of the STRIDE categories, (3) A brief description of the threat and the assumed identity/capability of the attacker, and (4) Proposed mitigation techniques for the threat.
User (Client) Machine
Upload file
2 Download file
Cloud File Server
Write file 4
Q2) Consider the following C code that plans to perform copy operation. Review the code, and identify the vulnerability in it. Explain (1) where it occurs in the code (and any assumptions you are making), (2) how it could be exploited, and (3) suggest a good practice for preventing it.
1 int copy_something(char *buf, int len){
2 char kbuf[800];
3 if(len > sizeof(kbuf)){
7 memcpy(kbuf, buf, len);
8 return 1;
return -1;
Q3) A table users(uid, name, password) is constructed in a SQL database. The below program constructs an SQL statement to retrieve password of a given username in that table. Assuming that runSQL function (String query) is already developed. The function takes a string in sql format and executes it with SQL database server. The program contains two vulnerabilities. Identify them and provide your mitigation solutions. Besides, what value of the input username can be used to retrieve the password of a user whose uid = 1? (4 + 2 = 6 marks)
void main(int argc, char *argv[])
char *username = argv[2];
char query[50] = {0}; if(username!=NULL && strlen(username)) {
sprintf(query,”SELECT PASSWORD FROM USERS WHERE NAME =\’%s\’ ”,username);
runSQL(query);
File Storage System
Page 4 of 4
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com