Announcements

HW 5 and Review Sessions

Posted by: Matt Bishop
Date: Jun 5, 2016 11:59 am

Folks,

When you submit Homework 5 through Box, it is imperative that you use the following convention to name it:

your_name-hw5.ext

where “your_name” is your name, and “ext” is the extension of what you upload. If you need to upload multiple files, put them into a ZIP, TAR, or TGZ archive.

Several people have submitted a file named “hw5.pdf”. We discovered that even though you can't download it, you can overwrite it. Even if you uploaded a file, please check it is still there and the one you uploaded!

As for review sessions, here are the times and places:

I will hold office hours on Tuesday from 9–10am and 12–1pm. I should be around Monday afternoon and Tuesday as well.

Hope this helps,

Matt Bishop


No More SmartSite

Posted by: Matt Bishop
Date: May 26, 2016 11:14 pm

SmartSite is probably down for the rest of the quarter. I have set up a folder in Box for submitting Homework 4, and for submitting the revisions to the robustness part of Homework 3. All students should have access to these folders. If not, I have sent an email message giving you the email address to send your programs to. I will do something similar for Homework 5.

Thank you for your patience as I try to get things working.

Hope this helps,

Matt Bishop


Homework 4 Due Date and Problem 3

Posted by: Matt Bishop
Date: May 19, 2016 3:40 pm

I am extending the due date for Homework 4 to Thursday, May 26, at 11:55pm. If you meet the original deadline of Monday, May 23, you will receive 20 extra credit points. Remember, these are not added to your score; they are treated like any other extra credit points.

Also, in problem 3, to make life easier for the graders, use a macro for your UID, as follows. If your UID is 3456, put the macro

#define STUDENTUID 3456
in your C program (or header file) and compare the real UID of the executing process with that macro.

Hope this helps,

Matt Bishop


FAQ about Homework 3, Problem 4

Posted by: Matt Bishop
Date: May 9, 2016 2:20 pm

Here are the answers to some questions about the homework problem 4.

Q: When is the homework due?
A: You have until May 12, at 11:55pm, to submit it to SmartSite. Note for this assignment, we will not accept any late homework.

Q: If there are multiple input files, and you match a signature, what should you output to show the name of the file?
A: Let name be the name of the signature (the part before the ‘:’ in the vdetect.str file, file the name of the file, and bb the offset at which the first character of the matching signature occurs. Then your output should look like this:


file(bb): matched signature name
file(bb): matched signature name
If there is only 1 input file, or you are reading from the standard output, don’t name the input file:

(bb): matched signature name
(bb): matched signature name

Q: Can the name portion of name:string contain non-printable characters as well, or just regular strings? If so, would they be in the same format as the string portion (\xnn) or in their original form (like \0)?
A: It can contain anything except a colon. But the non-printing characters will be directly embedded, and not using the \xnn format. So you should not convert anything when reading in the name.

Q: I'm not sure what constitutes a malformed line in vdetect.str. The situations I can think of are:

  1. name contains a nonprinting character.
  2. No colon in a line.
Are these accurate? Are there any others we should look out for?
A: #2 is definitely malformed. #1 is not.

Q: Is an empty line malformed?
A: No

Q: What about whitespace in vdetect.str, do we ignore it?
A: Yes, ignore white space before the signature. If you need to start with white space, use \x20, which is the hex code for a blank.

Q: When you say “signature”, are you referring to the string portion of the name:string pair, or is the entire name:string the signature?
A: The “signature” is the string portion following the “:”.

Q: What if you want a definition with the characters \x00 exactly? Is there a way to escape characters? How do you express the characters \0x5c\0x78\x30\x30 exactly and conveniently?
A: Replace each \ with \x5c (which is the hex code for “\”)


Useful Clinic to Check Your Program Style

Posted by: Matt Bishop
Date: May 4, 2016 11:14 pm

There is a place you can get help for programming robustly; this may help you with the programming assignment in homework 3.

The Secure Programming Clinic is a clinic designed to help people write robust code. It works like a writing clinic. You bring your program to the clinic, and a clinician will go over it with you and look for non-robust coding practices. They will then help you figure out how to correct these. As 50% of your score for the program is its style, which is largely robustness, understanding and correcting problems before you turn it in will probably help your grade.

To make an appointment with one of the clinicians, please go to this page:

https://app.acuityscheduling.com/schedule.php?owner=12364236
The clinicians are Somdutta Bose and Minghua Zhu, and that page has their schedules and a place for you to sign up.

Now, some disclosures. Please read these, as it will provide some important information.

The Secure Programming Clinic is part of a National Science Foundation research project being run by UC Davis and Purdue University. I am the UC Davis principal investigator; Prof. Melissa Dark of Purdue is the Purdue principal investigator. We are working together, of course, and similar clinics are being run at Cal Poly (California Polytechnic State University in San Luis Obispo) and Sac State (California State University in Sacramento).

When you go to the clinic, you will be asked if we can use your programs and other ancillary data (demographics and assessments) to help us evaluate the effectiveness of the clinic. You are perfectly free to decline; you don’t need to consent to use the clinic. As explained below, I won’t know who is and who is not using the clinic, or who is and is not participating in the research, so that information won’t (can’t!) affect your grade. Read on to see how we are doing this.

If you agree to participate, the clinicians will keep a copy of the program you brought in. They will also obtain the final program you submit. In order to protect your privacy, and to prevent the instructor (me) from knowing who is using the clinic, the clinicians will take the following precautions to protect your identify. First, they will ask you for the last 6 digits of your student identifier. They will then assign a random number to that identifier. All records kept, such as your program, will be tied to the random number, and the clinicians will delete your name and/or student identifier from the programs. In order to track the programs, they will keep a record of the association between that number and the last 6 digits of your student identifier until the end of the class. At that point, the random number links all your data together, so the file containing the association will be securely deleted (overwritten with random patterns 7 times so it cannot be recovered). Thus, we will be able to link the programs together by the random number; we won't even have any part of your student identifier any more. The programs and other data will then be sent to Purdue University and analyzed by the researchers there, who are experts in technology education.

Note that, if you agree to participate, you don’t have to do any work beyond what is required for the class, except sign a consent form and supply some demographic information.

As I said earlier, at no point will I, the instructor, know whether you have used the clinic. This is important to understand, because whether you use it or not will have no effect on anything involving the class, except that your programming may improve — but as this can happen for many reasons, and I won’t see the original versions, I won’t know why. I won’t even know after the class, because the file of associations will be deleted from the clinicians’ system.

If you would like to ask questions about what information the clinicians will gather, what analyses will be done, get more details on how we will protect your privacy, or anything else, please ask me. But please, do not tell me if you plan to use the clinic!!!!

Hope this helps,

Matt Bishop


Change to Wednesday Office Hour

Posted by: Matt Bishop
Date: Apr 26, 2016 7:58 am

Folks,

I will not be able to make my Wednesday office hour at 9AM. So I am scheduling an office hour for today at 4:10PM to 5PM.

Hope this helps,

Matt Bishop


Spring Internship and Career Fair Reminder

Posted by: Matt Bishop
Date: Apr 19, 2016 2:19 pm

Folks,

From the Department Office:

Please remind students that the Spring Internship and Career Fair is this Wednesday, April 20th, 10AM–2PM at the ARC Pavilion. If you have questions regarding the fair, please contact the Internship and Career Center.

Hope this helps,

Matt Bishop


Office Hours Time Change

Posted by: Jonathan Vronsky
Date: Apr 7, 2016 2:07 pm

Hey class,

I will not be able to attend my office hours Monday April 11th. Instead I will hold 2 hours of office hours Friday April 15th 10am–12pm at Kemper 55.

Sorry for the inconvenience,

Jonathan Vronsky


Homework 2

Posted by: Matt Bishop
Date: Apr 7, 2016 8:46 am

Folks,

Homework 2 is now available. It is due on April 19.

I very strongly recommend you start early. In particular, expect question 4 to take quite a bit of time.

Hope this helps,

Matt Bishop


UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh