School of Computing & Information Technology
CSCI358 Security Engineering Summer Session 2017/2018
Assignment (30 marks worth 10%)
Due 11:55pm Friday 26th January 2018
You should include appropriate referencing and put answers in your own words. Failure to provide references for a question where it is clear references where used will results in a mark of zero for that question.
1. The assignment section on Moodle contains a zip file FpMV with some Windows executables and a Fingerprint.png fingerprint image file in it. To answer the questions here you will need to run FpMV. The fingerprint image is taken from one of the NIST Fingerprint databases.
(a) Once you have loaded the fingerprint file you will see a list of minutiae at the bottom.
i. Explain the meaning of the 4 terms: ( , ), Direction, Quality and Type; used to describe each minutiae. 1 Mark ii. Graph the Quality versus the number of accepted Minutiae. This and the later graph shouldn’t be hand drawn. 1 Mark iii. Fingerprints are described as being in one of five categories: left loop, whirl, right loop, tented arch, arch. Which category do you think this fingerprint belongs to? Justify your answer. 1 Mark
(b) Use some sort of picture editing program to reduce the quality of the fingerprint image enoughthat the calculations on the modified image are appreciately different from the ones for the original image. Explain how you carry out this transformation and submit the modified image file Fingerprint2. That modified file doesn’t have to be png but it does need to load into FpMV so check that software for the compatible formats. 1 Mark
(c) Load your modified image, Fingerprint2, and ...
i. Describe some of the differences between the data for the original file and the data for themodified file. 1 Mark ii. For this modified file generate a new record of the Quality versus the number of accepted
minutiae curve, and add that curve to the earlier graph.
2. Answer the following questions in the context of a library. 1 Mark
(a) List the main types of objects present. 1 Mark
(b) List the groups of subjects present and show how they are related. 1 Mark
(c) State the actions available. 1 Mark
(d) Give a reasonable description of the access control for this system. 1 Mark
(e) Describe a specific human characteristic that might be considered a vulnerability in this system.
Explain why it may be considered a vulnerability. 1 Mark i. Explain how that characteristic may be exploited by an attacker for some specified purpose.
1 Mark ii. Explain how that characteristic may lead to accidental damage. 1 Mark
3. Consider that I have an asset worth $2000. There are two mutually exclusive possible events.
• The first occurs with probability 0 = p = 0.5 and would reduce the value of the asset to $1500. • The second occurs with probability
(a) What is the threshold value at which buying insurance would be ”worthwhile for both parties”,
as a function of p? Show working. 1 Mark
(b) Graph the insurance value as a function of a probability p. 1 Mark
4. What is the Tragedy of the Commons? How is it relevant to Internet security? 1 Mark
5. At some point it was planned that Starcraft would use the RealId system. Briefly explain what the
ReadId system is and state why the plan was abandoned.
6. These questions relate to diversity in redundant systems: 1 Mark
(a) What does diversity mean in the context of redundant systems? 1 Mark
(b) Give a specific example of diversity in an identified system. 1 Mark
(c) Why does diversity in redundant systems matter? 1 Mark
7. Give an example of how context affects the way we interpret information. Don’t use somethingmentioned in the lectures, lecture notes, or in the textbook. 1 Mark
8. Describe how you could use fault injection in the context of plagiarism detection. 1 Mark
9. Consider the payoff/payout table/matrix below and answer the questions that follow after it .
AliceBob B1 B2 B3 B4
A1 2,3 0,4 1,1 3,3
A2 1,3 3,2 2,6 1,4
A3 4,2 4,4 5,1 3,3
A4 4,1 3,1 2,2 2,0
(a) Assuming Alice is only concerned with her own gain, is there a dominant strategy for Alice?Justify your answer and state the dominant strategy if there is one. 1 Mark
(b) Assuming Bob is only concerned with his own gain, is there a dominant strategy for Bob?
Justify your answer and state the dominant strategy if there is one. 1 Mark
(c) Produce a matrix containing the difference between the result for Alice and Bob, so in eachcase it is the difference of the two entries, so A1B1 would contain -1. 1 Mark
(d) Is there a dominant strategy for Alice or Bob with respect to the difference matrix produce din the previous part? 1 Mark
10. Consider the following incomplete ALE table and answer the questions that follow after it.
Event SLE Annual Incidence ALE
A $200,000 0.004
B $30,000 $3,000
C 200 $4,000
D 100 $50
E $400 2000
F $16,000 $16,000
G $2,000,000,000 0.00000000005
(a) Complete the ALE table. 1 Mark
(b) Assuming we take no action but operate with the above, how much would we expect to lose in
5 years? 1 Mark
(c) Describe three general principles that can be used to determine whether a particular event needsto be dealt with. You need to think what would be appropriate guidelines. 1 Mark
(d) Apply the three general principles from part b. to the completed ALE table to describe whatevents should be addressed. 1 Mark
Notes on submission
Submission is via Moodle. Please submit your report in pdf, along with the Fingerprint2 file for Q1. The report may be processed through Turnitin so direct copying from websites and failure to appropriately reference will be picked up.
1. The deadline for submission is 11:55pm Friday 26th January 2018 through Moodle.
2. Late submissions will be marked with a 25% deduction for each day, including days over the weekend.
3. Submissions more than three days late will not be marked, unless an extension has been granted.
4. If you need an extension apply through SOLS, if possible before the assignment deadline.
5. Plagiarism is treated seriously. Students involved will likely receive zero.
c Luke McAven, SCIT-EIS-UOW, University of Wollongong, 2018.