Sample Final Exam Questions

COMPSCI 725 Software Security

 

Clark Thomborson

Computer Science Department, University of Auckland

1^st May, 2001

 

Instructions:  This exam will not be graded.  Write your answers on a separate sheet.  Do not write your name on your answer sheet.  If you turn in an answer sheet to me at the end of this class period, I may use one or more of your answers in a class discussion.

A.  Legal, Ethical and Conceptual Frameworks

1)       Professor Charles W Turner, of IEEE’s Member Conduct Committee, recently wrote, “It is clearly unethical to pursue patent protection while ignoring or denying the existence of prior work elsewhere in the world...”

In approximately 50 words, analyse Professor Turner’s statement in terms of any one of the ethical systems discussed in class:

·         Pfleeger’s “universal, self-evident, natural rules” (right to know, right to privacy, right to fair compensation for work);

·         Sir David Ross’ duties (fidelity, reparation, gratitude, justice, beneficence, nonmaleficence, self-improvement);

·         Christian ethics (Mosaic law, faith, hope, love, charity, Golden Rule);

·         Confucian ethics (Jen, Chun Tzu, Li, Te, Wen);

·         Islamic ethics (economic, social, military, religious).

2)       If an attacker clones a cellphone, and thereby gets access to the cellphone owner’s voicemail inbox, what integrity expectation of the cellphone’s owner could be violated?  Answer in approximately 50 words, being careful to define a specific integrity expectation that could be attacked in this way, and how this integrity expectation could be violated.

B.  Applications of Cryptography

3)       Name, and briefly describe, three applications of PKI.  Your answer should consist of three sentences of the form “PKI can be used for X, which is …” Each sentence should be approximately 15 words in length.

C.  Secure Software Design Techniques

4)       The overall goal of the S.E.E. Mail project is “to facilitate the exchange of email and documents using the Internet” among agencies of the New Zealand Government.  Here is a question/answer pair appearing on a webpage entitled “S.E.E. Mail – Frequently Asked Questions” (http://www.e-government.govt.nz/projects/see/mail6.html):

Why doesn’t S.E.E. Mail encrypt the “To:”, “From:” and “Subject” fields?

S.E.E. Mail products are “Off-The-Shelf” commercial offerings.  They have not been customised.  Accordingly we have had to live with the vendors’ implementations of the S/MIME standard.

a)       One of the articles you read this term used a four-letter acronym, instead of the phrase “‘Off-The-Shelf’ commercial offerings’”.  What was this acronym?

b)       Write a total of approximately 50 words, listing and very briefly explaining two advantages and two disadvantages of the S.E.E. Mail project’s decision to use “‘Off-The-Shelf’ commercial offerings’.

D.  Copy Detection and Prevention

5)       Cox and Linnartz distinguish between “restricted-key” and “unrestricted-key” watermarking.  In “restricted-key” watermarking, a small number of highly trusted receivers can read the watermark.  In “unrestricted-key” watermarking, a very large number of weakly trusted receivers can read the watermark.  For the case of recorded media such as music, both types of watermarking are important.  Restricted-key watermarks could be discovered by trusted agents of a media company, who monitor broadcasts (on radio, television and the web) for copyright and licensing infringements using special receivers.

In approximately 50 words, explain the purpose and operation of an unrestricted-key watermarking system that is implemented in contemporary DVD players.