CMSI 662
Midterm Preparation

Logistics

You will take this exam on BrightSpace. It will be multiple choice with a 120 minute time limit. You MAY use books, notes, and web searches to look things up. You will not be spied on: there is no browser lock down and hence no need to hide a mobile device in a bag of potato chips. However, you MAY NOT solicit answers in any way. There is to be no asking for help, no posting on forums, no communication with other humans or intelligent bots in any way; you can only “look things up.” You also MAY NOT post answers or help any other test taker either. You are bound by an honor code to follow these rules.

The exam will be made available on Monday, March 18, 2024 at 9:30pm America/Los Angeles time and must be completed by Friday, March 22, at 11:59pm, America/Los Angeles time. Choose any two-hour period in this range to take the exam. You must complete the exam in two hours.

How to Study

You should:

  1. Review the course learning objectives from the syllabus
  2. Review the course notes on the topics we have covered so far
  3. Do plenty of practice problems!
  4. Browse the suggested self-study resources below

Course Notes Review

Review the course notes if you can, but to help you a little, here’s an outline of the topics we covered:

  1. INTRODUCTION TO COMPUTER AND SOFTWARE SECURITY
    1. INTRO TO COMPUTER SECURITY
      1. Different types of security and their definitions
      2. Correctness vs security
      3. Assets
      4. Threats
      5. Philosophical questions about security
      6. Pillars of security strategy: protection, detection, reaction
      7. Security mindset: every input is a potential threat
      8. Attacks
        1. What they can do: eavesdrop, spoof, deny service, break in
        2. What they compromise: Confidentiality, Integrity, Availability (CIA)
      9. What happened at the Öst-Götha Bank in 1854
      10. Security at all levels: hardware, OS, network, application, human
      11. Security architecture vs. Secure software
      12. Vocab: defect, vulnerability, exploit, threat, risk, failure
    2. INTRO TO SOFTWARE SECURITY
      1. Computer security (cybersecurity) vs Software security
      2. Percentage of security incidents due to bad software: 90%
      3. Security at all phases of the SDLC
      4. Different means of attacks
        1. Low-level memory attacks (e.g., C)
        2. Web and network security
      5. "BUILD SECURITY IN"
        1. So you can cover everything (whitebox)
        2. To avoid ad-hoc security feature checking
        3. To catch errors at domain objects (that's the best)
          • User Ids are not strings
          • Quantities are not integers
        4. Why do we not take security out of software development?
          • If delayed, might not ever happen, and you will get destroyed
          • If delayed, pentesters will show you why your project is bad and should not be deployed
      6. How to define security requirements (and how NOT to!)
      7. Defense in depth
      8. Defense in breadth
      9. Principles
        1. Set Trust Boundaries
        2. Design for Least Privilege
        3. Maintain Integrity
        4. Fail Fast
        5. Audit
        6. Don’t Rely on Secrets
        7. Keep It Simple
        8. Prevent Leaks
      10. Tactics
        1. We named, but did not describe, several dozen of these
      11. Various Software Security Guidelines and Standards
      12. Links to software security resources
  2. PROGRAMMING LANGUAGE BASICS
    1. C BASICS
      1. Hello world
      2. Types
        1. Numbers, booleans
        2. Structs
        3. Pointers
        4. Arrays (NOT bounds checked!!)
      3. printf
        1. format string can be hacked
      4. Functions
      5. Memory layout
        1. Static storage, stack, heap
        2. Pointers to stack storage (be careful)
        3. malloc() for pointers to the heap
        4. free()
        5. Memory Leaks
        6. Dangling Pointers
        7. Structs are copied
        8. Arrays
        9. Arrays are passed as pointers
        10. Frames passed on stack so return address can be overwritten in buffer overflow
      6. Strings (char*)
        1. Also not bounds checked
        2. strlen is linear time
        3. strcpy/strcat vs strncpy/strncat
    2. C++ BASICS
      1. References
      2. Raw Pointers
      3. Structs and Classes
        1. Constructors
        2. Fields
        3. Methods
      4. Smart Pointers
      5. Standard Library Containers and Algorithms
    3. JAVASCRIPT BASICS
      1. Browser-based vs Server-based apps
      2. Types
        1. Primitives vs. References
        2. Null vs Undefined, Number vs BigInt
        3. Weakly typed
      3. Objects, identity, shallow vs deep copy
      4. Destructuring
      5. Prototypes
      6. Arrays
      7. First Class Functions!
      8. This, methods, and arrow functions
      9. Class Syntax
        1. Just a surface syntax
        2. Basics
        3. Private and static properties
      10. Optional Chaining and Coalescing
      11. Promises
    4. JAVA BASICS
      1. Only classes at the top-level
      2. Types
        1. Primitives vs. References
        2. Reference types: Class, array, record, interface, enum
        3. Assignment and equality require care for reference types
        4. Billion Dollar Mistake
      3. Strings (UTF-16 oh no!)
      4. Arrays (weird, covariant) vs lists (invariant)
      5. Interfaces
      6. Records
      7. Optionals
      8. Streams

    Practice Problems

    On the course practice page, do all of the reinforcement problems and try as many of the find-the-vulnerability problems as you have time for.

    Other Study Resources

    Keep in mind that our (world’s) knowledge culture is far more literary than oral, so read, or reread, or watch the presentations and the online guides mentioned near the end of the course notes on Software Security.

    You have to put in the time for effortful self-study. Although the exam is open resources, you will not have time to look everything up. Those who come in with a strong comfort level with the material will finish on time. I am assessing your fluency and your proficiency with the material, not your Google-Fu.