计算机代写｜COMP3911 Secure Computing Coursework 2

This assignment concerns vulnerabilities in a software application, and how they can be fifixed. You should be able to do the work on any machine that has the Java Development Kit installed.

We strongly recommend that you do the assignment in pairs, though you may work on your own if you prefer. If you choose to work in a pair, please notify us of the members of the pair using the form provided for this purpose. A link & QR code for the form is available in Minerva. If you work in a pair, each member will receive the same mark for the assignment.

This assigment is worth 15% of your overall grade.

The Scenario

You are provided with the source code of a Java application in patients.zip. This is a crude attempt by an inexperienced developer to implement part of a patient records system. The idea is that GPs in a surgery can login to the application and search for details of patients that they are currently treating.

The application uses Jetty as a built-in web server. Request processing is done by a Java Servlet. Data storage is provided by an SQLite 3 database, and queries of the database are done using JDBC. HTML pages are generated using the Freemarker template engine.

Tasks

Analysis of Security Flaws

You can do this on the command line using the sqlite3 tool: the .schema command will tell you the structure of the database and you can issue SQL queries at the command prompt to examine its contents. You can exit the tool with .quit.

If you prefer a tool with a GUI, there are many available—e.g., DB Browser.

./gradlew run

(On Windows, omit the leading ./)

Note: there may be a signifificant delay the fifirst time this runs, while dependencies are downloaded. If doing this from your own PC, make sure you are connected to the Internet fifirst.

Under a section heading ‘Analysis of Flaws’, write down a numbered list of all the flflaws you have found. Be brief here; identify each flflaw with a single short sentence.

Then pick three of the discovered flflaws to discuss in more detail. For each choice, create a suitable subsection heading, under which you should describe the nature of the flflaw and how you discovered it, providing suitable examples or evidence in each case.

The entire ‘Analysis of Flaws’ section should be no more than two A4 pages in length. The contents of this section are worth a total of 21 marks.

Implementation of Security Fixes

Modify the application (and, if necessary, the database) to fifix your chosen flflaws.

Your fifixes and the written summary of them are together worth a total of 15 marks.

Deliverables

You need to submit both your report and the modifified application.

The report should not exceed three A4 pages in length, excluding any cover sheet. It must include your name, or the names of both contributors if you worked as a pair. It must have the section headings indicated previously. It must be submitted as a PDF fifile: do NOT submit a Word document or any other editable document format. The PDF fifile must be named report.pdf and it must be put in the same directory as the build.gradle fifile.

Note: you will lose marks if you don’t satisfy all of these requirements!

When you have put report.pdf in the correct location, enter the following command:

./gradlew submission

This will create a Zip archive named cwk2.zip, containing everything that needs to be submitted.

Submission

Use Minisign to sign the Zip fifile:

minisign -S -m cwk2.zip

Submit the fifiles cwk2.zip and cwk2.zip.minisig, via the link provided for this purpose in Minerva. Note:

if you have worked in a pair, the person who signed the Zip fifile should be the person who submits the fifile and its signature.

A further 4 marks will be awarded for a correctly formatted submission with a signature that verififies correctly—giving a total of 40 marks available for the assignment.

Note that we will need the public key of the signer to perform signature verifification, so make sure that this has been submitted previously, using the relevant submission link in Minerva.

The deadline for submission is 10 am on Thursday 15 December.