COMP3911 Secure Computing Coursework 2

This assignment concerns vulnerabilities in a software application, and how they can be fixed. You should be able to do the work on any machine that has the Java Development Kit installed. CourseNana.COM

We strongly recommend that you do the assignment in pairs, though you may work on your own if you prefer. If you choose to work in a pair, please notify us of the members of the pair using the form provided for this purpose. A link & QR code for the form is available in Minerva. If you work in a pair, each member will receive the same mark for the assignment. CourseNana.COM

This assigment is worth 15% of your overall grade. CourseNana.COM

The Scenario

You are provided with the source code of a Java application in patients.zip. This is a crude attempt by an inexperienced developer to implement part of a patient records system. The idea is that GPs in a surgery can login to the application and search for details of patients that they are currently treating. CourseNana.COM

The application uses Jetty as a built-in web server. Request processing is done by a Java Servlet. Data storage is provided by an SQLite 3 database, and queries of the database are done using JDBC. HTML pages are generated using the Freemarker template engine. CourseNana.COM

Tasks

Analysis of Security Flaws

1. Examine the database used by the application. Amongst other things, this will give you the login credentials and patient details that you need to test the application. CourseNana.COM

You can do this on the command line using the sqlite3 tool: the .schema command will tell you the structure of the database and you can issue SQL queries at the command prompt to examine its contents. You can exit the tool with .quit. CourseNana.COM

If you prefer a tool with a GUI, there are many available—e.g., DB Browser. 2. Compile and run the application from the command line using CourseNana.COM

./gradlew run CourseNana.COM

(On Windows, omit the leading ./) Note: there may be a significant delay the first time this runs, while dependencies are downloaded. If doing this from your own PC, make sure you are connected to the Internet first. CourseNana.COM

3. Visit http://localhost:8080 in a web browser to interact with the application. Use the information CourseNana.COM

• btained in Step 1 to explore different paths through the application.

4. Experiment with the web interface to identify any security issues. Make a note of precisely what the issues are and how you identified them. Collect evidence such as screenshots where appropriate.
5. Study the source code of the application if necessary to gain further insight into the application’s security flaws.
6. Create a report using a word processor or other documentation preparation tool of your choice. Give your report the title ‘COMP3911 Coursework 2’ and include author details (name and username, or names and usernames of both of you if you worked in a pair). Under a section heading ‘Analysis of Flaws’, write down a numbered list of all the flaws you have found. Be brief here; identify each flaw with a single short sentence. Then pick three of the discovered flaws to discuss in more detail. For each choice, create a suitable subsection heading, under which you should describe the nature of the flaw and how you discovered
   9. providing suitable examples or evidence in each case.

The entire ‘Analysis of Flaws’ section should be no more than two A4 pages in length. The contents of this section are worth a total of 21 marks. CourseNana.COM

Implementation of Security Fixes

1. Choose up to three, but no more than three, of the security flaws that you listed in the ‘Analysis
   • f Flaws’ section. These could be, but do not have to be, the same three flaws that you described in detail in that section.

Modify the application (and, if necessary, the database) to fix your chosen flaws. CourseNana.COM

2. Test the application to make sure that it still works and that it is no longer vulnerable.
3. Add a new section to your report, with the heading ‘Fixes Implemented’. Write a short (maximum of
   • ne A4 page) summary of the changes that you have made, explaining in each case how it has fixed the problem.

Your fixes and the written summary of them are together worth a total of 15 marks. CourseNana.COM

Deliverables

You need to submit both your report and the modified application. The report should not exceed three A4 pages in length, excluding any cover sheet. It must include your name, or the names of both contributors if you worked as a pair. It must have the section headings indicated previously. It must be submitted as a PDF file: do NOT submit a Word document or any other editable document format. The PDF file must be named report.pdf and it must be put in the same directory as the build.gradle file. CourseNana.COM

Note: you will lose marks if you don’t satisfy all of these requirements!

When you have put report.pdf in the correct location, enter the following command: CourseNana.COM

./gradlew submission CourseNana.COM

This will create a Zip archive named cwk2.zip, containing everything that needs to be submitted. CourseNana.COM

Submission

Use Minisign to sign the Zip file: CourseNana.COM

minisign -S -m cwk2.zip

Submit the files cwk2.zip and cwk2.zip.minisig, via the link provided for this purpose in Minerva. Note: if you have worked in a pair, the person who signed the Zip file should be the person who submits the file and its signature. CourseNana.COM

A further 4 marks will be awarded for a correctly formatted submission with a signature that verifies correctly—giving a total of 40 marks available for the assignment. CourseNana.COM

Note that we will need the public key of the signer to perform signature verification, so make sure that this has been submitted previously, using the relevant submission link in Minerva. CourseNana.COM

The deadline for submission is 10 am on Thursday 15 December. CourseNana.COM