Learning Objectives
In this assignment you will demonstrate:
- Familiarity with security weaknesses in C, C++, and Java
- Familiarity with secure coding issues in C, C++, and Java
- Familiarity with the SEI CERT documentation on C, C++, and Java
- Research and writing skills through the exploration and exposition of certain topics in software security
- The ability to get through a few more of Tom Scott videos on YouTube
- Command line and Python Prowess is capturing flags on PicoCTF
Read and Watch
Do the following:
Activity
Sign up for an account on PicoCTF and complete as many of the challenges from the playlist The Beginner's Guide to the picoGym as you can. Strive to complete at least 10.
Submission Instructions
Submit via BrightSpace, a text or pdf document with:
- The answers to Exercises 1-5 below.
- A screenshot of your PicoCTF picoGym Progress Tracker.
- An affidavit that you did all of the assigned readings and watched the assigned videos. If you did not complete the readings or videos, submit a statement detailing the assigned readings or videos that you did not complete with a promise to complete them by the next assignment due date.
Please note that several of these questions involve research to answer questions not specifically addressed during lectures (though they may build on the big ideas introduced during class meetings).
Exercises
- Give the titles and URLs of the three Tom Scott security-related videos you watched (to completion), together with a sentence or two on the purpose or lesson if each video.
- Research the concept of Security Through Obscurity. Write up a couple paragraphs describing what this phrase refers to, give some examples, and describe why it is (generally) a bad thing. It is okay to receive help from an AI assistant; however, make sure the most important downside of STO is clearly articulated, so take care in crafting a strong prompt if you do choose to use a chatbot.
- Give (software) examples of (a) a failure of confidentiality, (b) a failure of integrity, and (c) a failure of availability.
- Capture at least 10 flags in PicoCTF. State the names of the ten challenges you completed, and for each, whether they were easy, medium, or hard.
- Select 3 guidelines each from the SEI CERT Guidelines in this assignment’s reading list (for C, C++, and Java). For each, give their name, their number in the CERT numbering scheme, a description of the standard in your own words and an example of your very own of code that is compliant with the selected guideline. (You may optionally include a non-compliant piece of code too, but please mark it as non-compliant.) Yes, your answer will be very much based on the code in the standard itself, but the effort you put into answering this question well, and testing the code, will help you reach the learning objectives and increase your familiarity with these useful documents. (Be careful to select 9 guidelines that are markedly different from each other.)
Grading
- For each video: 1 pt for giving the URL, 3 points for capturing the essence of the video. (4 points × 3 = 12 points)
- For the STO question: 2 points for writing well, 3 points for an accurate description, 3 points for good examples (at least 2), 4 points for correctly identifying the precise reason why STO is bad. (12 points)
- For CIA, 4 points each (12 points)
- For CTF, 2 points for each flag. (20 points). If you do not include a screenshot of your progress tracker that includes your login name, you will get a 0 for this entire problem. You have been warned. FOLLOW INSTRUCTIONS.
- For the CERT Guidelines exercises:
- Each of the 9 has a name listed (0.5 x 9 = 4.5 points)
- Each of the 9 are accurately described (1.5 x 9 = 13.5 points)
- Each of the 9 has a relevant example (1.5 x 9 = 13.5 points)
- Your choice of the 9 was sufficiently spread out—no two from the same category (7.5 points)
- You wrote well and your writing can be understood by a novice (5 points)