Clinique Stephens

Written Assignment #2
4. A program is written to compute the sum of the integers from 1 to 10. The programmer,
well trained in reusability and maintainability, writes the program so that it computes the
sum of the numbers from k to n. However, a team of security specialists scrutinizes the
code. The team certifies that this program properly sets k to 1 and n to 10; therefore, the
program is certified as being properly restricted in that it always operates on precisely the
range 1 to 10. List different ways that this program can be sabotaged so that during
execution it computes a different sum, for example, 3 to 20.

A.) Someone changes the source code before its complication,

B.) Someone patches (i.e.,) the binary object code while it is stored on
disk before execution,
C.) During execution, an outside process patches the object code

6. List three controls that could be applied to detect or prevent off-by-one errors.

 The best way to prevent off-by-one errors is encapsulation. For example, instead of using
a for loop that iterates a collection by index (from 0 to count - 1), use a for-each style
loop with all the logic of where to stop built into the enumerator. So that way you only
have to get the bounds right once, when writing the enumerator, instead of every time
you loop over the collection.

 If the subtraction between integers represent indexes or ranges then the solution to this is
to separate the range and index concepts.
 Microsoft SAL can prevent off-by-one errors.

9. An electronic mail system could be used to leak information. First, explain how the
leakage could occur. Then, identify controls that could be applied to detect or prevent the
leakage.

how the leakage could occur?

With the advent of e-mail, sensitive information leakage has become a daunting problem in
today's world. Quite often, the mail volume from a company is huge, making manual monitoring
impossible. Automatic screening mostly relies on the idea of content scanning, but sometimes
the information is so sensitive that even scanning the mails by a third party may not be permitted.
Detection under such restrictions becomes difficult. Also, mails originating from specific
organizations are often restricted in their subject and content, suggesting that powerful generic
techniques like content scanning may not be needed.
identify controls that could be applied to detect or prevent the leakage?

We propose that selection of proper input variables relevant to the domain could help in such
cases; a simple straightforward learning scheme can then detect information leak efficiently
using only mail pattern analysis. We used our technique on real life mails from financial
institutions. By choosing the input variables judiciously, we were able to learn the mail patterns
quite well and detected violations efficiently. The preliminary results are encouraging with an
accuracy close to 92%. This technique is now being implemented in a real life commercial tool.

19. (a) You receive an email message that purports to come from your bank. It asks you to
click a link for some reasonable-sounding administrative purpose. How can you verify that
the message did come from your bank? (b) Now play the role of an attacker. How could
you intercept the message described in part (a) and convert it to your purposes while still
making both the bank and the customer think the message is authentic and trustworthy?

A ) Each bank has a verification certification on the e-mails they sent, I need to verify that this
email has this certification, also I need to check the domain that it came from because it needs to
be exactly the same as the one from my bank.

I also need to use anti-virus and anti-spyware and firewall on my computer.

B) I would send an email to the customer giving him thanks for providing the information
singing on the name of the bank and use the information to whatever propose I wanted
immediately.

To make sure the bank never knows what is going on I would install a spyware on the computer
of the person to monitor his activities