FIT3173 Software Security Final Exam
Part A
TRUE/FALSE questions
1. Initialized global variables are stored in stack.
a) True b) False
2. Address Randomization is a mitigation for buffer overflow in stack.
a) True b) False
3. In a 32 bits operating system, the range of an unsigned integer number is 0 - 232-1
a) True b) False
4. Getting random seed directly from time of microseconds is considered secure.
a) True b) False
5. In AES, ECB mode is more robust than CBC mode when data loss happens during transmission.
a) True b) False
6. Web application server is the target of SQL injection attacks.
a) True b) False
7. SQL injection can compromise both data confidentiality and data integrity.
a) True b) False
8. The malicious script in XSS attacks are executed in the victim server.
a) True b) False
9. CSRF attacks can cause malicious actions to the victim server without being captured by users.
a) True b) False
10. Threat modelling cannot help address vulnerabilities before software implementation.
a) True b) False
Part B
Single answer questions.
11. Which of the following statements is correct about the return address in a function call?
a) It is a pointer that points to the instruction for a return statement inside a function.
b) The return address is for transferring control between function calls.
c) The return address is saved in the stack frame and cannot be modified during runtime.
12. Which of the following statements is correct about race condition vulnerability?
a) It stems from concurrent data access.
b) Repeating check and use can eliminate this threat.
c) Using atomic operations for file open and use is not useful to mitigate this vulnerability.
15. Which of the following statement is not true regarding the XSS attacks?
a) The attacker can run arbitrary JavaScript code on the victim’s machine
b) The attack can happen if the user performs certain actions, i.e., clink links or access malicious contents
c) The attack cannot persistently infect the target server
16. Which of the following countermeasures cannot mitigate CSRF attacks?
a) Use origin header or referrer URL
b) Use random nonce to verify the http requests
c) Escape special characters in the user’s input
17. Which of the following is not the direct consequence of SQL injection?
a) Data deletion.
b) Data decryption.
c) Data leakage.
18. Which of the following is not true for AES?
a) It operates on 128-bit block
b) The key size can be 64-bit, 128-bit, 192-bit or 256-bit
c) The IV in AES modes can be reused for encryption and decryption if the software wants to implement deterministic encryption in certain applications
20. Which of the following descriptions about STRIDE is not correct?
a) Spoofing can be exploited to comprise the authentication protocol of a website.
b) Tampering threat will break the integrity of the data.
c) Data confidentiality can be influenced by Denial of Service attacks.
咨询 Alpha 小助手,获取更多课业帮助。