Learning Objectives

In this assignment you will demonstrate:

• Competence with memory management in C
• The ability to use smart pointers in C++
• The ability to write complete classes in Java with internally managed memory
• Further practice with validation, failing fast, and other software security principles
• The construction of C, C++, and Java code that avoids certain vulnerabilities

Read and Watch

Read:

• Any of he readings from previous homework assignments that you did not get to, or that you wish to skim for review.
• (In detail) the course notes on C and C++.
• This blog post about C memory management (static, stack, heap).
• The famous Stack Smashing paper (Just browse it, you don’t have to understand every word.)

Familiarize yourself with (via skimming):

• The C Reference.
• The C++ Reference.
• Section 12 of the CTF Primer.
• Chapters 3 and 4 of this book.

Watch:

• The three introductory videos and all the videos in the Topics 1 and 2 (2 + 6 + 7 = 15 videos in total) of Michael Hicks’s amazing Software Security course. The content here will teach you a great deal about low level security and how to defend. There is coverage of memory layout, memory safety, buffer overruns, format string attacks, and more. These videos would take two hours to watch; therefore you may wish to watch a subset of these or watch at 1.5x or faster. (The last video in Week 2 entitled Secure Coding is especially useful in this course.)

Although you should do all the readings and watch all the videos assigned above, I am not going to assign you problems where you echo back all you’ve read or watched, nor will ask you to write small snippets of code illustrating each of the vulnerabilities discussed in the resources. You will see those concepts in the practice problems, classwork, and on exams. For this assignment, you will focus on writing C and C++ modules that you can demonstrate are free from those vulnerabilities. That said, please take these learning opportunities seriously and do try to devour all of the materials that I have curated for you.

Activity

Complete a few more (at least three) challenges at PicoCTF. Strive to choose challenges related to the topics for this unit (C, C++, buffers, etc.)

Submission Instructions

Submit via BrightSpace, a text or pdf document with:

• The answer to Exercise 1 below.
• A screenshot of your PicoCTF picoGym Progress Tracker, along with a note detailing which challenges you completed since the previous assignment.
• URLs for your coding solutions to Exercises 2–4 below.Source code must be hosted on GitHub, and the repository must be public or you must add me as a collaborator. The project must have clear instructions for me to run it after downloading or cloning the repository.
• An affidavit that you did all of the assigned readings and watched the assigned videos. If you did not complete the readings or videos, submit a statement detailing the assigned readings or videos that you did not complete with a promise to complete them by the next assignment due date.

Exercises

1. Give the titles and URLs of three videos from Low Level Learning that deal with specific vulnerabilities that you watched to completion, together with a sentence or two on the purpose or lesson if each video. Ones with the blatant clickbait titles like “HACKED!” or “HOLY SH*T!” are surprisingly okay.
2. Write a module defining a secure, expandable array-based stack of strings in C. (We will do a non-expandable version in class.) Fail fast by returning a “response object” that the caller can use to determine whether the operation succeeded (and if appropriate, its return value), or if it did not, what happened. As usual, you will be graded on things like validation and defensive copies.
3. Write a class for a secure expandable array-based stack of strings in C++, using a raw array of smart pointers for the stack. In practice, C++ programmers have a standard stack class, but in this course we are interested in building secure structures from first principles and getting practice with all the various features (and warts) of C++. Fail fast by throwing exceptions.
4. Write a class for a secure expandable array-based stack of strings in Java. Fail fast by throwing exceptions.

Grading

• For each video: 1 pt for giving the URL, 3 points for capturing the essence of the video. (4 points × 3 = 12 points)
• For CTF, 2 points for each flag. (6 points). If you do not include a screenshot of your progress tracker that includes your login name, you will get a 0 for this entire problem. You will also receive 0 if you did not list the names of the challenges completed. You have been warned. FOLLOW INSTRUCTIONS. (Sorry to be passive aggressive here, but you know, it’s worth checking your submissions and keeping things clean. These are good traits for security professionals!)
• For the stack modules, 82 points total, 10 of which for following instructions (providing direct links to cloud hosting, having inspectable and runnable code), 10 points for using a formatter and choosing good names, and 62 for following all of the software security principles we’ve been covering in class.