! 

Assignment #4

Type of assignment: This assignment should be done in same groups as the term project.

Note: The assignment submission should clearly list the student members of the group, their names, and student numbers on the first page.

Points: The maximum number of points for this assignment is 45, which will be prorated accordingly after all assignments are posted. Weight of each problem is in parenthesis.

Format:

  1. Assignment submissions are accepted in the following formats only: PDF (.pdf). Assignments submitted in any other format will be discarded. All text in the assignment submissions must be typed and figures plotted to be easy to read and understand. Spelling, grammar, and other language errors will result in fewer points credited to the corresponding problem solutions.
  2. Your submission file should be named to reflect the group number (see group number assignments below), and the assignment number, e.g., group53-5.pdf.

Problems

  1. (TBA, was 10) (Malicious Logic): Pick one of the following malicious software (malware):

                1. Flame
                2. Koobface
                3. Stuxnet
                4. Blacworm (Nyxem.E)
                5. Natas
                6. One-half
                7. SMSZombie
                8. SQL slammer
                9. Code Red
                10. Blaster
                11. Sasser
                12. Conficker
                13. Kenzero
                14. VBMania
                15. Daprosy
                16. Storm Worm
    1. Post a message (one message per group) in the course WebCT discussion topic named "Malware" indicating which malware your group has picked.
    2. If another group posted an earlier message indicating that they had picked the same malware as your group, go back to step 1 and pick "free" malware.
    3. Analyze the design of the picked malware, i.e., its structure, behavior, mechanisms it uses for selecting victims, infecting them, hiding itself and its authors, etc.
    4. Identify the aspects specific to your malware that can be used to detect or prevent it. Based on your analysis, recommend short, medium and log term countermeasures (i.e., protection and detection techniques) against the threat posed by this malware. Classify your techniques using material from the corresponding course session.
    5. Identify which of the principles for designing secure systems have not been followed by the developers of those systems vulnerabilities in which allowed the malware you analyzed to become effective.
    6. Cite all your sources of information.
    7. Use no more than 4 pages to write a short report documenting your findings obtained in steps 3--5. Use figures and tables, if necessary to achieve better impact of your report.
    8. Your report should be submitted as one file in format of IEEE Transactions with proper title, authors, abstract, introduction, body, conclusion, and references sections.
    9. Post your report in PDF on WebCT discussion topic named "Malware" by the same deadline as the one for this assignment. Marks for late reports will be decreased, 1% of the problem mark per each minute after the deadline.


  1. (35) (Development of Secure Software): Each group is to complete successfully as many lessons as it can by logging in http://webgoat.ece.ubc.ca/WebGoat/attack (you have to be on UBC network to be able access it, if working form home vpn to ubc with your CWL account) with the corresponding user name and password from the following table. Groups cannot help each other. If it is found out that one group received help from another group, both groups will receive zero points for this problem even if one of them is eligible for the bonus points (see below). One point per completed lesson will be credited for this problem. Not all questions are equally difficult. The lessons are on learning about common vulnerabilities of Web applications. Some of these vulnerabilities are common to many other types of software applications.

    Important rule: WebGoat source code cannot be examined in order to complete this question. That is, you cannot download the source code for WebGoat and examine it in order to help yourself with the assignment.

    Hints for increasing success with this problem:
    1. You can access webgoat.ece.ubc.ca only from the UBC network. To access it from outside of the UBC network, you need to use VPN (see www.vpn.ubc.ca for instructions). If on campus, use an IAPv2 port, which can be found in various buildings, including MacLeod and the Libraries. Direct your questions about IAPv2 port to ECE IT services (help@ece.ubc.ca).
    2. Install personal copy of WebGoat on your computer(s) so that you restart WebGoat whenever it crashes because of your actions. webgoat.ece.ubc.ca will crash too often if each group will be trying to attack it while doing this assignment.
    3. If you cannot access webgoat.ece.ubc.ca because, for example, your or another group crashed WebGoat, send e-mail asking to reboot WebGoat on webgoat.ece.ubc.ca to help@ece.ubc.ca. The course teaching staff does not have privileges to reboot WebGoat on that host.

      Attention: Only the report card on webgoat.ece.ubc.ca is what counts for marks. So, make sure your group account completes the lessons on webgoat.ece.ubc.ca.
    group members
    username
    password
    Adama Amedu-Ode , Nathan Cheung , Avi Kumar , Simon Mo
    group01
    VTe2100x
    Yeung Cheung , Crystal W.L. Ng , Tin Chi Yeung
    group02
    Ek8OL0Tz
    Joanne Chow , Steven Chow , Brian Lau , Xiu Ying Qian
    group03
    W6t98794
    Preethal Fernandes , Richard Hsu , Edmond Louie , Yi Xin Wang
    group04
    v0GF3gqq
    Victor de Lima Soares , Allister MacLean , Gabriel Morais Parreiras
    group05
    Zo1P4WAP
    Nicholas Chow , Ben Jeffery , Adrian Lindsay , David Slater
    group06
    24H1BS6E
    Surya Adi Jaya , Edward Budiman , Jane Lau , Marlow Payne
    group07
    Q326GCw0
    Shirley Gong , Edward Han , Yonatan Indrajaya , Nathaniel Sham
    group08
    jPH2e03l
    David Adomat , Ian Cheng , Malavika Mantripragada , Joshua Shelley
    group09
    96rU925x
    Changhoon Baek , Kevin Shiah , Andrew Kisoo Yoon
    group10
    8Oh4WHr1
    Nick Adams , Craig Penner , Peter Schuurman

    group11

    M7fDjy68
    Denis Abalakov , Audun Lie Indergaard , Anuj Mehta , Dhruv Raturi
    group12
    IRGbqHcY
    Keith Lee , Mark Ginga Misawa (Duppenthaler) , Shruti Shruti , Cary Wong
    group13
    GTE6FL3i
    Tao Cheng , Ken Hu , Timothy Tang , Vinson Yu
    group14
    631A7c7l
    Braulio Vladimir Chavez Nu?ez , Joey Liu , Aobo Yu , Lixing Yu
    group15
    7m0jr1bU
    Nor Bainin Khairudin , Kevin Li , Lap Kiu Li , Calvin Ng
    group16
    4pNJxENP

     

  2. (9 points) (Bonus question) First group who can also complete the challenge of attacking three "hackable" admin interfaces and post a message on the course WebCT discussion topic "Assignments" indicating that it completed the challenge will receive additional (i.e., bonus) 9 points for this assignment. The group will have to demonstrate to the course TA the technique of accomplishing the challenge before the credit will be dispensed. If the group fails to demonstrate, the second group will become eligible for the bonus.

    Important rule: WebGoat source code cannot be examined in order to complete this question, i.e., you cannot download a distribution of WebGoat and go through its source code. However, you can look at the code provided in each lesson.

Copyright © 2003-2010 Konstantin Beznosov