Learning Objectives

In this assignment you will demonstrate:

• Competence with memory management in C
• The ability to use smart pointers in C++
• The ability to write complete classes in Java with internally managed memory
• Further practice with validation, failing fast, and other software security principles
• The construction of C, C++, and Java code that avoids certain vulnerabilities

Read and Watch

Read:

• The readings from previous Homework assignments (or just skim for review if you are comfortable with them).
• (In detail) the course notes on C and C++.
• This blog post about C memory management (static, stack, heap).
• The famous Stack Smashing paper (Just browse it, you don’t have to understand every word.)

Familiarize yourself with (via skimming):

• The C Reference.
• The C++ Reference.

Watch:

• The three introductory videos and the videos in the first two “Topics” of Michael Hicks’s amazing Software Security course. The content here will teach you a great deal about low level security and how to defend. There is coverage of memory layout, memory safety, buffer overruns, format string attacks, and more. These videos would take two hours to watch; therefore you may wish to watch a subset of these or watch at 1.5x or faster. (The last video in Week 2 entitled Secure Coding is especially useful in this course.)

Although you should do all the readings and watch all the videos assigned above, I am not going to assign you problems where you echo back all you’ve read or watched, nor will ask you to write small snippets of code illustrating each of the vulnerabilities discussed in the resources. You will see those concepts in the practice problems, classwork, and on exams. For this assignment, you will focus on writing C and C++ modules that you can demonstrate are free from those vulnerabilities. That said, please take these learning opportunities seriously and do try to devour all of the materials that have curated for you.

For Submission

Submit via BrightSpace, a PDF document with answers to the following. Please note that several of these questions involve research to answer questions not specifically addressed during lectures (though they may build on the big ideas introduced during class meetings).

1. Give the titles and URLs of three more Tom Scott security-related videos you watched (to completion), together with a sentence or two on the purpose or lesson if each video.
2. Write a module defining a secure, expandable array-based stack of strings in C. (We will do a non-expandable version in class.) Fail fast by crashing with an error code (a different code for each type of failure), or return a “response object” that caller can use to determine whether the operation succeeded, or if it did not, what happened.
3. Write a class for a secure expandable array-based stack of strings in C++, using a raw array of smart pointers for the stack. In practice, C++ programmers have a standard stack class, but in this course we are interested in building secure structures from first principles and getting practice with all the various features (and warts) of C++. Fail fast by throwing exceptions.
4. Write a class for a secure expandable array-based stack of strings in Java. Fail fast by throwing exceptions.