Assignments

There will be approximately four minor assignments and one major project that will be assigned during this class. All minor assignments are expected to be performed INDIVIDUALLY unless specific approval in writing is granted from the instructor. I recommend a review of the GMU honor code to familiarize yourself with what is and is not appropriate in regards to student collaboration and source material attribution. The major project may be performed in groups of up to four students.

Minor Assignment 1

    Task: Explore examples of insecure code using NIST's SAMATE database

  • Detail: The NIST SAMATE project is collecting examples of vulnerable code.  It is designed to be used to "provide users, researchers, and software security assurance tool developers with a set of known security flaws [1]".  Your assignment is to browse through this collection, choose one of the code examples, determine why it is vulnerable and what could be done to produce a secure equivalent.  You will be required to write up your findings in a one to two page report. Please make sure that you clearly identify which code example you have choosen, explain the vulnerability and your approach to solving it.  If the code example is small enough, please include it as an attachment to your report.  As in the real world, good grammar and spelling is required!

    This is an individual assignment. No group work is allowed.

    This assignment, as with all assignments in this class must be performed in STRICT COMPLIANCE to the honor code!

  • Due Date: Sept 8th

    [1] NIST SAMATE Reference Dataset Project, http://samate.nist.gov/SRD/.

Minor Assignment 2

    Task: Produce a financial program that tracks the balances of multiple users and supports multiple currencies.

  • Detail: Produce a command-line driven financial calculator that supports multiple currencies. The program should be capable of adding and subtracting values from a user's account. The program should handle conversion of the currencies prior to the arithmetic operation. The program should include commands:

    • ADDUSER <Username> <CurrencyType> - Add username to the database. Set user's preferred currency to CurrencyType
    • SETCUR <Username> <CurrencyType> - Change username's currency type to currency. Convert current balance into new currency.
    • DELUSER <Username> - Remove user from the database
    • [ADD|SUB] <Username> <currency value1> - Add or remove amount from user's account. Currency Value can be from any of the supported currency types.
    • PRINT - List all users and balances
    • MAINT - Allow currency conversion data to be entered (or read in)

    Create regular expressions to validate all input to include commands, usernames, currency types, and currency values. For currency values, validation should be consistent with the standards used to write numbers in the currency being used. (e.g. $3,150.02, 10.52 USD, etc.). Be sure to document your assumptions for formats in your report.

    Accepting ambiguous currency values is acceptable as long as you handle the ambiguity reasonably

    You must accept at least three unique currencies (e.g. USD, UK Pound, Euro). You must include functions that allow conversion values to be input for the currencies that you will support.

    You must gracefully reject any attempts to provide invalid data.

    The database of user accounts should persist between executions of the program.

    Permissible languages: C/C++, Java, Perl, Other with permission of instructor

  • Submission instructions: You are required to provide the source code including instructions on how to compile and run the software. Please let me know if your code has any dependencies (e.g. libraries, external programes, etc.) that must be installed prior to running your code. I would strongly prefer that you do not rely upon anything that is not freely available. If this is not possible, please let me know in advance so we can work out some way for me to evaluate and grade your assignment. In addition to the code and instructions, you must also turn in a report that describes your submission. This report should include a description of how your code works, any assumptions you have made, and the pros/cons of your appoach.

    This is an individual assignment. No group work is allowed.

    This assignment, as with all assignments in this class must be performed in STRICT COMPLIANCE to the honor code!

  • Due Date: Sept 29th

    Instructor's solution! Suggestions for improvement are welcome.

Minor Assignment 3

    Task: Create a protected user account database.

  • Detail: Applications frequently need to securely identify a user prior to allowing them to access the system. Your task in this assignment is to create a system to implement a username/password based authentication system. The following features are mandatory :

    • Must maintain user accounts across executions (e.g. long term storage)
    • Must allow the creation, deletion of user accounts
    • Must associate a password to each user account. This should be under the control of the user
    • Must provide a demonstration application that grants user access when provide a valid username/password pair
    • The passwords must be protected. No administrator who has access to the underlying file system should be able to see clear text passwords (hint; cryptographic hashing).
    • The password file itself should be protected from tampering
    • Reject any attempts to provide invalid data.


    Permissible languages: C/C++, Java, Perl, Other with permission of instructor

  • Submission instructions: You are required to provide the source code including instructions on how to compile and run the software. Please let me know if your code has any dependencies (e.g. libraries, external programes, etc.) that must be installed prior to running your code. I would strongly prefer that you do not rely upon anything that is not freely available. If this is not possible, please let me know in advance so we can work out some way for me to evaluate and grade your assignment. In addition to the code and instructions, you must also turn in a report that describes your submission. This report should include a description of how your code works, any assumptions you have made, and the pros/cons of your appoach.

    This is an individual assignment. No group work is allowed.

    This assignment, as with all assignments in this class must be performed in STRICT COMPLIANCE to the honor code!

  • Due Date: Midnight on Oct 27th

Major Project

Peer to Peer Gaming!

    Task: Create a board game that can be securely played across a network

  • Detail:
      You are part of a small development shop that has been asked to develop a network-enabled board game. The game will eventually be played between competitors that do not trust each other and will be run in an environment where other unauthorized people may try to monitor and/or tamper with the game and its results. It is essential that your program allow the players to play the game without interference and that no player can claim after the fact that their opponent cheated.
      The program should be designed as securely as possible. You should specifically avoid buffer overflows, accepting invalid input, and passing sensitive data unprotected. You will also need to authenticate both users to each other.

  • Choosing the Game:
      Choice of which board game to implement is up to you!
      A few words of warning though…
        Some games will be much easier to implement than others.
        I will reserve a few points for games that have higher development difficulty to them. However, do not let your choice of game prevent you from completing the assignment!
        Any games that rely upon random values (e.g. dice, shuffled card deck, etc) will need a source of random that is trusted by both players.
      Some suggested games include
        Chess, Checkers, Tic-Tac-Toe, Othello, Go
      There is NO requirement for a game AI
        Each player will be responsible for their moves. There is no requirement for a single user mode.

  • Other Requirements:
      The game must be playable over a TCP/IP network.
        How each side of the game discovers each other is up to you
        Actually game architecture (P2P, Client Server) is up to you
      The game must reject invalid inputs including …
        inputs that are syntactically correct but are semantically invalid based upon the current state of game play.
      The game must be able to prove that each player made the moves they did during the game. Remember, neither side trusts each other.
      The game communications must not be accessible to a third party during play but both players must be able to show a third party that the game was played, what moves were made, and who the winner was. (e.g. secure audit trail)
      There needs to be a UI sufficient to play the game but a GUI is not required

General requirements

  • Usability vs. Security:
      Do not make security the be-all end-all requirement for your programs.
      Always remember that a program is written to be used by its users.
      It is NOT ok to write a program that is difficult to use or that has limited functionality in the name of security
      It is also NOT ok to write a program with security weaknesses in the name of functionality

  • Teams:
      You are allowed to work in teams of up to five students
        Make sure to fairly distribute the work amongst the team members
      You may work alone if desired however…
        There will be no reduction in requirements because of this. If you choose to work alone you will be solely responsible for everything
      Teams must register what game they plan to implement
        Only one game type per class will be allowed (e.g. no two teams will be allowed to implement the same game)
        First come, first serve for game selection. The first email I receive indicating a game preference is the team that will be allowed to implement that game.
      Only one game per team
        I will only reserve one game per team. If you decide to implement multiple games, the additional games can be of any type even if this conflicts with another team.

  • Stage Check:
      Midway through the project, each team will need to provide a write-up of your basic design in the form of a high level design report. This report should include
        The composition of your team and what role each member is playing
        Which game you have chosen to implement
        The high level architecture of your design
        Any design constraints and assumptions that you have made
        Challenges that you feel you will need to address to complete the project

  • Final Report:
      You will be required to provide a detailed report on your implementation. This report should include the following sections.
        Heading (project name, collaborators, class, date)
        Introduction – brief description of project
        Design
        Architecture of the code
        Description of major functions, classes
        Description of functionality and how it is implemented
        Installation Instructions
        Operating Instructions
          This should include a description of the game rules.
          If these are long they can be included as an appendix.

  • Presentation:
      Each team is required to develop a 15 min presentation of their project. This presentation must
        Describe how the team has met the requirements
        Discuss unique features of the design
        Provide a live demonstration of the game being played
      Presentations are currently scheduled for December 6th
      Order of presentations will be by random team selection
      It is possible if the number of teams is too large that we will have to
        Shorten the presentation time slots
        Have an additional class to allow the remaining presentations to be given

  • Grading:
      Their will be two main components to your grade.
        Project score (80%)
        Participation score (20%)
      The project score is worth 80% of the total grade and will be developed using the following criteria
        Stage Check (5%)
        Final Report (10%)
        Presentation (15%)
        Functionality (25%)
        Security (25%)
      The participation score is worth 20% of the total grade and will be developed based upon
        A confidential report provided to me by each team member that describes the role and level of effort for the other team members
        My direct observations concerning each team members engagement and understanding of the project


  • Permissible languages: C/C++, Java, Perl, Other with permission of instructor

  • Submission instructions: As with the Minor Assignments, you are required to provide the source code including instructions on how to compile and run the software. Please let me know if your code has any dependencies (e.g. libraries, external programes, etc.) that must be installed prior to running your code. I would strongly prefer that you do not rely upon anything that is not freely available. If this is not possible, please let me know in advance so we can work out some way for me to evaluate and grade your assignment.

  • This is an group assignment. Group work IS allowed but only within defined and approved teams.

  • This assignment, as with all assignments in this class must be performed in STRICT COMPLIANCE to the honor code!

  • Important Dates:
      Nov 17th: Stage Check Due
      Dec 15th: Project Presentations. All work must be completed and handed in on this date