CS 455 - Secure Software Development Course Project - Spring 2022
- Objectives:
- Working in teams of 2 or 3 students, design and develop a secure and robust C/C++ application.
- Analyze and identify any security and/or implementation flaws of the application developed by another team.
- Course project will be completed in three phases--design, implementation, and analysis--with each phase graded separately.
- Total points: 35
Design aka project proposal (5 pts)
- Your application must include the following implementation features:
- Command line parameters
- Terminal-based interaction
- File input/output
- String manipulation
- Dynamic memory allocation
- Exception handling
- Error reporting (including program logic, input/output operations, etc)
- Submit a project proposal (PDF, no page limit) that will be graded using the following rubric (out of 5 pts):
- Team membership: 1
- Detailed description of the intended application functionality: 2
- Explanation of how each of the implementation features will be utilized in your application: 2
- Implement the application described in your proposal taking into account any feedback from the instructor.
- Your implementation must address at least 8 out of the following 13 types of vulnerabilities covered in the course:
- Buffer Overruns
- Format String Problems
- Integer Overflows
- C++ Catastrophes
- Catching Exceptions
- Command Injection
- Failure to Handle Errors Correctly
- Information Leakage
- Race Conditions
- Poor Usability
- Not Updating Easily
- Executing Code with Too Much Privilege
- Failure to Protect Stored Data
- Write an implementation report indicating how each vulnerability is addressed in your code:
- For every vulnerability type, list every instance of a resolution where a potential vulnerability is addressed in your code;
- For every instance, include file name, class/method or function name.
- Format you implementation report as a table:
# |
Vulnerability |
Instance ID |
Location |
1 |
Buffer Overruns |
1-1 |
File: foo.c
Function: bar() |
1-2 |
File: foo.c
Function: fubar() |
2 |
Format String Problems |
2-1 |
File: spam.cpp
Function: ham() |
2-2 |
File: spam.cpp
Function: eggs() |
- Prepare two versions of your source code:
- Verification version
- Include a readme file with a brief description of the functionality of your project. This should include instructions on how to run the compiled program;
- Place attribution appropriate statements at the beginning of each source code file;
- For each function/method, explain its purpose, explain the values and meaning of parameters, return value, and any possible side effects;
- Use proper variable/function/class names;
- Indicate each team member contribution throughout the entire code base; indicate the primary author of each function/method;
- Throughout the source code, indicate every resolution instance of a potential vulnerability listed in your implementation report. For every potential vulnerability instance, indicate its ID and provide comments explaining how the vulnerability is being avoided/addressed.
- Analysis version
- This version of your source code will be turned over to another student team.
- Once the verification version of your code is complete, make a copy of it to create the analysis version:
- Include an anonymized version of the readme file mentioned above;
- Remove all author attribution statements;
- Remove all references to instances of all the resolutions of potential vulnerabilities, as well any comments where you specifically explained how each resolution works;
- Make sure that neither the comments themselves, nor lack thereof would be an indication of any location in your code where you are addressing any particular vulnerability.
- Submit your implementation report (PDF, no page limit) and two versions of your source code. Analysis and verification versions of your source code must be packaged as separate ZIP files and each must include a makefile.
- Your implementation will be graded using the following rubric (out of 20 pts):
- Indentation, general commenting, variable/function naming: 4
- Author attribution: 1
- Implementation report completeness: 4
- Adequacy of vulnerability resolutions: 6
- Adequacy of vulnerability documentation: 5
- Perform code review of the application implemented by another team. You will receive only the analysis version of their code.
- Analyze the code for possible vulnerabilities listed above. Identify all areas in the code where possible vulnerabilities have been successfully or unsuccessfully addressed.
- Write an analysis report indicating how each vulnerability is addressed in the code you received:
- Use the format similar to implementation report;
- For every vulnerability instance you identified, provide sufficient details explaining whether the resolution is
- successful (the code adequately resolves or avoids the vulnerability),
- unsuccessful (the code attempts to resolve the vulnerability, but the provided solution is not adequate), or
- missing (there appear to be no attempts in the code to address/resolve the vulnerability).
- Format you implementation report as a table:
# |
Vulnerability |
Instance ID |
Location |
Resolution |
1 |
Buffer Overruns |
1-1 |
File: foo.c
Function: bar() |
Successful resolution
<details...> |
1-2 |
File: foo.c
Function: fubar() |
Unsuccessful resolution
<details...> |
2 |
Format String Problems |
2-1 |
File: spam.cpp
Function: ham() |
Successful resolution
<details...> |
2-2 |
File: spam.cpp
Function: green() |
Missing resolution
<details...> |
2-3 |
File: spam.cpp
Function: eggs() |
Successful resolution
<details...> |
- Submit your analysis report (PDF, no page limit). It will be graded using the following rubric (out of 10 pts):
- Analysis report attribution: 1
- All/most vulnerability instances identified correctly: 4
- Resolution analysis is adequate: 5