Faculty of Science & Engineering COMP8260 – Advanced System and Network Security Assignment: I Total Marks: 30 (Weighting: 10%) Deadline: Friday (Week 5), 26th of August XXXXXXXXXX:00 pm). Note:...

Faculty of Science & Engineering
COMP8260 – Advanced System and Network Security
Assignment: I
Total Marks: 30 (Weighting: 10%)
Deadline: Friday (Week 5), 26th of August XXXXXXXXXX:00 pm).
Note: Submit the assignment via Turnitin (Include Student Name and ID in assignment).
Objectives
This assignment has been designed to test your knowledge on the material covered in the first half of the unit:
Introduction to cyber security, threats, attacks and security mechanisms, cryptography, security protocols,
authentication and access control and web security.
Note
• Assumptions (if any) must be stated clearly in your answers.
• There may not be one right answer for some of the questions. So, your explanations need to present
your case clearly. The explanations you provide do not have to be long; conciseness is prefe
ed to
meandering.
• It is recommended that you use Python for the programming components of the assignment. However,
you are free to use another programming language provided the question/answe
solution can be
seamlessly translated into an identical (structure or solution) problem in that language.
1
Question 1 (10 marks)
Consider a scenario wherein an Android application developed by LanjaMar, an IT firm, has 5,000 users and
this application uses PIN entry-based login mechanism. the application uses a technique to initially generate
and assign a random 4-digit PIN to each user such that no two users have the same PIN. The user simply
enters a PIN on the mobile-phone screen at the login prompt and the backend system authenticates the use
using the co
ect PIN entered by the user.
Furthermore, assume that you have been hired by LanjaMar as a security consultant to analyze the security
of the app and its backend system.
(a) Assume Alex is one of the users. What is the probability that an attacker, Eve, can guess Alex’s PIN in
one try? (2 mark)
(b) What is the probability that Eve can guess any user’s PIN in the first attempt? (1 marks)
(c) How many attempts are needed by Eve to guess any user’s PIN with a probability at least 0.5? (2
marks)
(d) You suggest to LanjaMar that the user should also enter a unique username. What issue does this
mitigate? Does the use of a bank card in addition to entering a unique PIN offer a more robust authentication
scheme? (3 marks)
(e) Suppose that the developed Android application only lets users to turn on the Flashlight their phones
into a rudimentary light source by displaying a blank white screen at maximum
ightness. Android places
limits on what an application can do and requires it to request additional permissions from the user on
installation. The Flashlight requires the following permissions: storage, system tools (to prevent phone from
sleeping), location (GPS), phone call state, and full network access. Identify one or more security principles
elevant to the app and advice (requiring one or two sentence justification) LanjaMar on the security of the
application. (2 marks)
Question 2 (10 marks)
Consider the Android app discussed in the previous question, and suppose that LanjaMar hired your in-
credibly cool security consultancy startup to ca
y out a detailed security analysis on 100 users’ data fo
determining whether or not their authentication was
eached. Jane was one of the users of the app. The
esult of the study showed that 90 out of a total of 100 users had been attacked. Jane was one of the 10 who
did not have not been attacked. Suppose that your startup publish the study and made the stats public:
“100 users participated in a study. 90 had been attacked.” Consider that another attacker Eve came to know
that Jane was one of the remaining 10 who was not subject to these attacks. A few days later, there is a
data
each disclosing the names of 99 participants each with a flag against their names indicating whethe
they had been attacked or not. In other words, a flag against a name necessarily means that your credentials
were compromised. Fortunately for Jane, her name did not appear in the data
each list (the data entry
person forgot to enter her name).
(a) Explain how Eve can find out if Jane has been attacked or not. (2 mark)
2
(b) Suppose instead of publishing the true count (i.e., a), the study applied differential privacy on the
number of people who were subject to attack as follow by publishing a′ = 90 + Lap(1), where Lap(·) denotes
a Laplace random variable of mean 0 and scale 1. Using the numpy.random.laplace(0, 1) from the Python
li
ary numpy, show 10 sample outputs of a′ (i.e., differential private true count). (4 marks)
(c) Noting that the number 100 represents the number of users of this application whose details were
examined and made available in the public domain. Explain how does the above mechanism protect Jane’s
privacy even after the data
each? (4 marks)
Question 3 (10 marks)
Reasoning about the code.
(a) In the lecture slides on Ke
eros, explain why is there a need for B needs to check if the time stamp tA
is fresh, i.e., it lies within a small time interval around B′s local time, when B is already checking if time
stamp tA is within the validity period l? (2 mark)
(b) Explain how and why the following codes (in Figure 1a and 1b) yield different results? (2 mark)
(a) (b)
Figure 1: Example of Off-by-One-E
or (OBOE).
(c) Consider the following C code. (4 mark)
void OutputZero (char s[], char sep, int n){
int j = 0;
int k;
3
while ( s[j] != sep ){
j++;
}
for ( k = j+1; k < n; k++ ){
s[k] = ’0’;
}
s[k] = ’\0’;
}
(d) Is the above code memory safe? If yes, prove it by writing the precondition and invariants. If not,
describe the modifications required and prove that the modified code is memory safe. (2 mark)
Assessment
For all questions in this assignment not only content but also presentation will affect your mark. You may
lose marks if there are considerable problems with the presentation, particularly with clarity. This means
that your answers to each question should be a coherent statement. You should ensure that spelling and
grammar mistakes of your submission are kept to a minimum.
• Clarity:
– Ambiguous or poorly worded answers will receive a grade no more than a pass for the individual
question.
• Co
ectness of approach taken and answer obtained:
– Inco
ect answers with the co
ect logic or approach will not be necessarily penalised.
– Co
ect answers with inco
ect logic or approach will receive no more than pass for the individual
question.
– Inco
ect answers with no explanation of the approach taken or with the inco
ect approach will
eceive a fail grade for the individual question.
The questions will be marked individually, the marks totalled, and a final grade assigned that is no more
than indicated by the total marks, and no more than allowed by the standards specified above and in the
unit outline.
Submission
The assignment will be submitted via Turitin, and it will be marked and returned online. There are no
hardcopy submissions for written assignments.
Ensure you submit the co
ect file. The submission process shows you a complete preview of your entire
assignment after you have uploaded it but before you have submitted it. Carefully check through every
single page to ensure everything is there and the co
ect version has been uploaded, and only then press
CONFIRM.
4
Multiple submissions may be possible via Turnitin prior to the final due date and time of an assessment task
and originality reports may be made available to students to view and check their levels of similarity prior to
making a final submission. Students are encouraged to use these reports to ensure that they do not
each
the Academic Honesty Policy through high levels of similarity checks.
Late Submission and Special Considerations. From 1 July 2022, students enrolled in Session
ased units with written assessments will have the following late penalty applied. Please refer to
https:
students.mq.edu.au/study/assessment-exams/assessments for further information. Unless a Spe-
cial Considerations request has been submitted and approved, a 5% penalty (of the total possible mark)
will be applied each day a written assessment is not submitted, up until the 7th day (including weekends).
After the 7th day, a grade of ’0’ will be awarded even if the assessment is submitted. Submission time fo
all written assessments is set at 11:55 pm. A 1-hour grace period is provided to students who experience a
technical concern.
Plagiarism
To prepare this assignment, please refer to “How to do literature review?” document provided on
COMP8260’s iLearn page. Please avoid presenting someone else work as your work. When you use a
source other than yourself to write a paper, you must cite that source. Sources available on the Internet
must also be cited, including the Web address of the site. If you take an original source and modify it to
turn in as your own work, you are also guilty of plagiarism (with possible penalty of F grade). You need to
write your own words and phrases that express your own ideas. You should be well aware of the University’s
plagiarism policy1.
1Please refer to https:
students.mq.edu.au/study/assessment-exams/academic-integrity
5
https:
students.mq.edu.au/study/assessment-exams/academic-integrity