LMU ☀️ CMSI 662
SECURE SOFTWARE DEVELOPMENT
Midterm

Answer as many questions as you can.

  1. If an attacker is only able to eavesdrop on a communication line but cannot change or reroute communication in any way, what aspect of the system is being compromised?
    $\bigcirc$ Confidentiality   $\bigcirc$ Integrity   $\bigcirc$ Availability   $\bigcirc$ Non-repudiation   $\bigcirc$ All of the above
  2. What is the meaning of “secure software is better than security software”?
    $\bigcirc$ Security software is more likely to have vulnerabilities
    $\bigcirc$ Security software is not written by experienced software developers, but only by non-technical analysts
    $\bigcirc$ Security software only does forensics, intrusion detection, and reporting, and does not do anything preventative
    $\bigcirc$ Security software tends to be overly specific in preventing certain vulnerabilities, which are often completely avoidable by more careful design restrictions and validations in the application itself
  3. Although there is no real reason to do so, in the world of software security, folks tend to get picky about the difference between two types of defects—bugs and flaws. How are these terms commonly understood?
    $\bigcirc$ Bugs are problems with the implementation, flaws are problems with the design
    $\bigcirc$ Only bugs are exploitable
    $\bigcirc$ Bugs are problems with the design, flaws are problems with the implementation
    $\bigcirc$ Only flaws are exploitable
  4. Although there are many kinds of buffer overflow attacks, the most common one (by far), and the one that most people study in the C programming language, is an overflow of the ________________.
    $\bigcirc$ Stack   $\bigcirc$ Static   $\bigcirc$ Frame pointer   $\bigcirc$ Kernel   $\bigcirc$ Heap
  5. Why are buffer overflow attacks so insidious? (Choose the best answer)
    $\bigcirc$ The attacker is able to read data past the end of a buffer (as in Heartbleed)
    $\bigcirc$ They cause crashes due to a system running out of memory
    $\bigcirc$ The overflow payload can contain executable code
    $\bigcirc$ They slow down the attacked program, causing availability to go down
  6. The term "Security Through Obscurity" generally refers to
    $\bigcirc$ Combining design or implementation secrecy with other approaches, such as cryptography, to secure a system
    $\bigcirc$ Maintaining privacy of individuals by aggregating or randomizing data sets
    $\bigcirc$ Relying on the secrecy of a system architecture as the sole means of security
    $\bigcirc$ Management of secrets
  7. Which of the following statements about C arrays are false?
    $\Box$ When the array is returned from a function, the array elements are not copied
    $\Box$ The fourth element of array a can be accessed with the expression 3[a]
    $\Box$ When an array is assigned to a variable, the array elements are copied
    $\Box$ When the array is passed a an argument, the array elements are copied
  8. What does the "smart" in "C++ smart pointer" refer to?
    $\Box$ Only copying of the referenced contents if needed (copy-on-write)
    $\Box$ The ability to move referenced data from the stack to the heap if the compiler detects a possible dangling pointer
    $\Box$ A highly optimized garbage collection algorithm
    $\Box$ Disallowing more than one pointer pointing to the same block of memory
    $\Box$ The automatic feeing of owned heap memory when it can no longer be accessed
  9. For the JavaScript fragment, which of the following statements are true? 
    const x = {a: 1, b: []}
Object.freeze(x)
    $\Box$ x.b cannot be pushed onto
    $\Box$ x.a cannot be assigned a new value
    $\Box$ x cannot be assigned a new value
    $\Box$ x.b cannot be assigned a new value
    $\Box$ x cannot have any new properties assigned to it
  10. Which of the following are advantages of immutable objects?
    $\Box$ Value-based equality is trivial
    $\Box$ They don't have to be copied
    $\Box$ They can be shared freely among threads
    $\Box$ Adding properties to one of them has constant-time complexity
    $\Box$ They remove the overhead of persistent data structures
  11. What is wrong with this Java line 
    public record Item(String sku, int quantity) {}
    from a security perspective?
    $\bigcirc$ The quantity field should be unsigned int, not just int
    $\bigcirc$ Items are too dumb, business logic such as price computations and inventory management should be encapsulated within the record
    $\bigcirc$ Records do not allow updates, so a conventional class should be used instead
    $\bigcirc$ There should be a constructor with validation
  12. CIA is
    $\bigcirc$ Constructors, Immutability, Authorization
    $\bigcirc$ Confidentiality, Integrity, Authentication
    $\bigcirc$ Confidentiality, Immutability, Availability
    $\bigcirc$ Confidentiality, Integrity, Authorization
    $\bigcirc$ None of the above
  13. Heartbleed was an attack on ___________. (Choose the best answer)
    $\bigcirc$ Injection
    $\bigcirc$ Integrity
    $\bigcirc$ Authentication
    $\bigcirc$ Immutability
    $\bigcirc$ Availability
    $\bigcirc$ Confidentiality
  14. If you are creating a class, and one of the fields comes from a type whose instances are mutable, you should
    $\bigcirc$ Perform defensive copying on that field
    $\bigcirc$ Freeze the instances of your class
    $\bigcirc$ Use smart pointers
    $\bigcirc$ Ensure that field is read-only
  15. What allows the Billion Laughs attack to be effective?
    $\bigcirc$ It is easy to trick people into opening XML documents
    $\bigcirc$ XML is essentially "executable" thanks to entity expansion
    $\bigcirc$ There are no known defenses
    $\bigcirc$ By overflowing the target machine's web request buffer, the attacker can inject malicious code
  16. Suppose you had an immutable class called Attachment. What is wrong with 
    class Document {
    private String name;
    private Attachment[] attachments;
    public Document(String name, Attachment[] attachments) {
        this.name = name;
        this.attachments = attachments;
    }
    public String name() { return name; }
    public Attachment[] attachments() { return attachments; }
}
    $\bigcirc$ Attachments are not defensively copied in the constructor
    $\bigcirc$ Attachments are not defensively copied in the getter
    $\bigcirc$ The document name is not validated
    $\bigcirc$ The length of the attachments array is not validated
    $\bigcirc$ All of the above
    $\bigcirc$ None of the above
  17. Suppose you had an immutable class called Attachment. Is this class immutable? 
    class Document {
    private String name;
    private Attachment[] attachments;
    public Document(String name, Attachment[] attachments) {
        this.name = name;
        this.attachments = attachments;
    }
    public String name() { return name; }
    public Attachment[] attachments() { return attachments; }
}
    $\bigcirc$ Yes, because all fields are private and there are no setters
    $\bigcirc$ Yes, because Java copies all the fields for us
    $\bigcirc$ No, because the name field is not marked final
    $\bigcirc$ No, because Java arrays are still attackable
  18. Suppose you had an immutable class called Name and an immutable class called Attachment. Assuming the Name and Attachment classes were secure, is this class secure? (For those that don't know Java, the constructor does properly create a new, empty list of attachments.) 
    class Document {
    private Name name;
    private List<Attachment> attachments;
    public Document(Name name) {
        this.name = name;
        this.attachments = new ArrayList<Attachment>();
    }
    public Name name() { return name; }
    public void addAttachment(Attachment a) {
        this.attachments.add(a);
    }
}
    $\bigcirc$ No, because you cannot read the attachments
    $\bigcirc$ Yes
    $\bigcirc$ No, because relying on the name and attachments objects to do their own validations is not appropriate, as they are outside the trust boundary for this application
    $\bigcirc$ No, because attachments have to be copied before adding to the document
  19. Pointers to local variables in C are suspect because they can lead to
    $\bigcirc$ Stack overflow
    $\bigcirc$ Forgetting to clear memory after it is freed
    $\bigcirc$ Dangling pointers
    $\bigcirc$ Memory leaks
    $\bigcirc$ Buffer underflow
  20. What can be said about the following C function, which claims to return a string from some data structure being managed by the program? 
    char* messageFor(char* someCondition) {
    char* foundMessage = someCodeToFindIt(someCondition);
    return strdup(foundMessage);
}
    $\Box$ Although it only became part of standard (ISO) C in C23 and it is sometimes not widely admired, the use of strdup here is actually an acceptable means of performing a defensive copy
    $\Box$ The code will lead to memory leaks because it does not free the local string foundMessage
    $\Box$ The code induces sharing that be exploited by the caller to update the contents of the data structure through the returned pointer
    $\Box$ The code performs excessive copying
    $\Box$ The code will lead to memory leaks because it allocates space for the return value but does not free it