CT6042 Assignment 001 2024-25 | Demonstrate how the vulnerability can be exploited with code examples?

1. CT6042_IAO_SEM1_2024/25
2. Module Assignment
3. CT6042 Assignment 001 2024-25

CT6042 Assignment 001 2024-25

Completion requirements

Due:

The requirements for assessment 1:

Too many developers are prioritising functionality and performance over security. Either that, or they just don’t come from a security background, so they don’t have security in mind when they are developing the application, therefore leaving the business vulnerable.

Your task for this assignment is to implement five dangerous software errors (vulnerable code), exploit and fix, and based on your implementation then write a secure software development framework/guideline that discusses those implemented five dangerous software errors (such as Buffer Overruns). Your framework/guideline should include the following for each software error:

a) demonstrate how the vulnerability can be exploited with code examples?

b) demonstrate how the code was tested to identify vulnerability?

c) how to mitigate, what security measures were put into place?

d) test again to make sure the code is resilient to the chosen attack

Your framework should also include general discussion about:

a) the importance of Security Development Life Cycle

b) product risk assessment and risk analysis

You should include all implemented source code in the appendix of your report. Note that the appendix does not count towards your report word count.

You should carefully consider the following when writing your report:

• Style – suitable to be quickly read and comprehended.
• Content – relevant, clearly explained, logically organised.
• Authority – discussed concepts and ideas will need evidence in support.
• Practical understanding – your own practical examples, advice and demonstrations should be included.
• Technical understanding – understanding of the discussed system and consideration of comparison products.
• Comprehensiveness – you need to cover what you consider to be all the key topics.
• Helpfulness – practical examples, advice and demonstrations should be included

Special instructions

You need to submit two files – one is your report (a Microsoft Word document file) and other is a zip file containing all implemented source code.

Submit your source files (just one compressed zip file). The compressed zip file should be named according to the convention

CT6042 2024-25 001 StudentNumber SOURCECODE

      e.g. CT6042 2024-25 001 1608131 SOURCECODE

Submit report (just one Word document) named according to the convention

CT6042 2024-25 001 StudentNumber REPORT

            e.g. CT6042 2024-25 001 1608131 REPORT

Assessment 1 criteria

You need to achieve at least 40% to pass this assessment. Below a guide to the level of practical content and report required for the assignment.

Grade	Content
To achieve	Some requirements met, but very limited and not recoverable. Copyright violation.
To achieve	Deliverables partially complete, e.g. incorrect database models or failure to submit report.
To achieve 40+	Discussed Any 3 of the most dangerous software errors with examples
To achieve 50+	Discussed Any 3 of the most dangerous software errors with examples Security Development Life Cycle Some code examples used in the report were implemented by yourself
To achieve 60+	Discussed Any 4 of the most dangerous software errors with examples Security Development Life Cycle Discussion of product risk assessment and risk analysis Most code examples used in the report were implemented by yourself
To achieve 70+	Discussed Any 5 of the most dangerous software errors with examples Security Development Life Cycle Discussion of product risk assessment and risk analysis All code examples used in the report were implemented by yourself

The maximum size for the report is 3000 words.  

Assesses learning outcomes (1), (2),  (3) and (4)

Note that the overall grade will be determined by the application of the School of Business & Technology Assessment Criteria Grid.

Sample Answer

Demonstrate how the vulnerability can be exploited with code examples?

Secure Software Development Framework and Guideline

Introduction Security in software development is a critical concern for organisations striving to protect their assets and user data. With functionality and performance often prioritised over security, vulnerabilities are introduced, making systems susceptible to exploitation. This report identifies and addresses five dangerous software errors, demonstrating their exploitation, mitigation, and testing, alongside the development of a secure software development framework. Additionally, it discusses the importance of the Security Development Life Cycle (SDLC) and product risk assessment.

Five Dangerous Software Errors

1. Buffer Overflow

a) Exploitation with Code Example Buffer overflow occurs when more data is written to a buffer than it can hold, leading to memory corruption. Example:

#include 
#include 

int main() {
    char buffer[10];
    strcpy(buffer, "ThisIsTooLongForBuffer");
    printf("Buffer: %s
", buffer);
    return 0;
}

Running this code overwrites adjacent memory, causing unexpected behaviour or crashes.

b) Testing to Identify Vulnerability Tools like AddressSanitizer or Valgrind can detect buffer overflows. Example:

valgrind ./vulnerable_program

c) Mitigation Measures Use functions like strncpy and check buffer sizes:

strncpy(buffer, "ThisIsTooLongForBuffer", sizeof(buffer) - 1);

Implement compiler options like stack protection (-fstack-protector in GCC).

d) Post-Mitigation Testing Run the code again using AddressSanitizer or fuzzing tools to ensure the buffer overflow is resolved.

Continued...