Assignment 1 (15%) – Individual Assessment
Assignment Description
In this assignment, you will learn about software vulnerabilities and associated systems such as Common Vulnerabilities and Exposures (CVE), National Vulnerability Database (NVD), Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS). This assignment consists of the following two parts.
Part 1 - Vulnerability Identification and fixing
Study about SQL Injection (CWE-89), OS Command Injection (CWE-78) and Code Injection (CWE- 94) on Common Weakness Enumeration and related websites. Write in your own words about your understanding of these vulnerabilities (up to 100 words for each vulnerability type) (1%)
1.2. Identify 2 GitHub repositories for each of the three vulnerabilities. The sum does not need to be 6 repositories. It is fine if a single repository has all three vulnerabilities. This means the minimum
number of repositories should be 2 and maximum 6. Each of the selected repository must satisfy the following conditions. (2%)
· The programming languages must be either Java, JavaScript, or PHP
· The repository has more 100 stars and 10 contributors on GitHub
Please note that each student is expected to identify unique GitHub repositories. We will be able to detect whether you have shared the information of your selected repositories with any other
student, or the repositories are identical by chance.
Once you have identified such repositories, you will need to extract and document the following information.
A. Name of the repository
B. Number of repository stars
C. Number of contributors in the repositories
D. Type of vulnerability (CWE) E. Link to the file
F. Link to the commit that fixes the vulnerable file
G. Name of the file
H. The programming language used in the file
1.3. Take a screenshot and underline (in red color) the code lines within the source code files you have identified that contain the vulnerabilities you found. There will be a total of 6 screenshots. For each of the screenshot, explain (within 100 words for each vulnerability) how the vulnerable lines correlate to the definition or causes of the vulnerability (e.g., SQL injection) and how this vulnerable code can be exploited by the attacker. (3%)
1.4. Explain (within 100 words for each vulnerability) that how each of the vulnerability can be fixed. (1%)
Part 2 - Exploring and understanding vulnerability resources.
2.1. Visit the website and study about Common Vulnerabilities and Exposures (CVE), National
Vulnerability Database (NVD), Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS). This part helps you to gain background about the security vulnerabilities. You do not have to submit this part.
2.2. Install and learn how to use Git commands (e.g., git log,git show, git diff). You DO NOT have to submit this part.
2.3. Register a GitHub account or reuse your existing one.
2.4. Determine the CWE (type) of each vulnerability. Include the CWE you have found in the report. (1%)
2.5. Study about the process of how to go from CVE-ID to the corresponding GitHub repository for assigned vulnerability. Describe step-by-step in the report how you have found to go from
vulnerability to its software repository. (200-300 words) (2%)
2.6. Identify and describe the bug report in the issue tracking system (e.g., Jira, BugZilla, GitHub repository itself) that reports about the fix of the vulnerability. Include the screenshot, link, the fixing commit and your comments about the status of the vulnerability in the report. (3%)
2.7. Compare the fixing commits you have identified for the vulnerability with the ones provided for you in the link above. If they are not matched, you have to explain (in up to 300 words) in the report. Also put the results in the following table. (1%)
CVE-ID |
CVE-2018-11087 |
CVE-2017-14735 |
Link |
|
|
Fixing Commit |
|
|
Type (CWE) |
|
|
CVSS Version 2 metrics |
|
|
CVSS Version 2 base score |
|
|
Comparision with NVD |
|
|
CVSS version 3 metrics |
|
|
CVSS version 3 base score |
|
|
Comparison with NVD |
|
|
2.8. Imagine you are a developer responsible for a vulnerable project and you have found your vulnerability. And you are going to report the vulnerability to NVD to include in their database, you may need to suggest to them an assessment of each vulnerability based on CVSS 2.0 (commonly used version) and CVSS 3.0 (new version). Include your CVSS (versions 2 and 3.0) metrics for each vulnerability with detailed explanation. Then, compute the base scores of CVSS versions 2 and 3.0 and compare them with the ones provided on NVD. Make sure you compute the scores using your reasoning first without looking at NVD. If there is no available score on NVD, then you can skip the comparison step. Record these in the above table. (1%)
Submission: A PDF document with Times New Roman of font size 12.
Tips about how I would go about doing this assignment:
Part 1
I will first study the vulnerabilities mentioned in the task on the Common Weakness Enumeration
website. Google is also always worth a try if I want to explore more. Then, I will try to use the name of the vulnerability and search it on GitHub. After I find the repositories, I will filter them using the above criteria. Then, I will focus on the vulnerable files and analyze them line-by-line or use existing tools. If there is already a fix for that vulnerability, I will include it in my report. Otherwise, I will try to see how I can fix it using the mitigation techniques I have learned for the vulnerability. I will explain how my findings match with the materials I have learned for that vulnerability.
Part 2
I would first study about CVE, NVD, CWE and GitHub to see how they link with each other. After I understand their connection, I can identify CWE and describe the process for the vulnerability. Then, I can start searching for bug reports in the suggested locations above. If you cannot find it there, Google is always worth a try. After I found the bug report, I would try to find whether the developers/testers mention the link they fixed that vulnerability. That would likely be my fixing commit. Finally, I would compare the one I have found with the provided one. If it does not match, then I try to investigate the provided commit to see how it is related to the vulnerability I am working on and also to my identified commit. To do this investigation step, cloning the GitHub repositories locally is a good way to go. I will use my experience and reasoning to fill in the value for each metric and then compute the score using the CVSS calculator. I will then compare my scores with the ones on NVD if they are available and give my detailed reflections. Then, I will describe and explain in detail each task for each vulnerability in the report.
版权所有:留学生编程辅导网 2020 All Rights Reserved 联系方式:QQ:821613408 微信:horysk8 电子信箱:[email protected]
免责声明:本站部分内容从网络整理而来,只供参考!如有版权问题可联系本站删除。